CVE-2024-47611

CVE-2024-47611 is a medium-severity vulnerability with a CVSS 4.0 base score of 6.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-88.

Key facts

Description

XZ Utils provide a general-purpose data-compression library plus command-line tools. When built for native Windows (MinGW-w64 or MSVC), the command line tools from XZ Utils 5.6.2 and older have a command line argument injection vulnerability. If a command line contains Unicode characters (for example, filenames) that don't exist in the current legacy code page, the characters are converted to similar-looking characters with best-fit mapping. Some best-fit mappings result in ASCII characters that change the meaning of the command line, which can be exploited with malicious filenames to do argument injection or directory traversal attacks. This vulnerability is fixed in 5.6.3. Command line tools built for Cygwin or MSYS2 are unaffected. liblzma is unaffected.

Frequently asked questions

What is CVE-2024-47611?
XZ Utils provide a general-purpose data-compression library plus command-line tools. When built for native Windows (MinGW-w64 or MSVC), the command line tools from XZ Utils 5.6.2 and older have a command line argument injection vulnerability. If a command line contains Unicode characters (for example, filenames) that don't exist in the current legacy code page, the characters are converted to similar-looking characters with best-fit mapping. Some best-fit mappings result in ASCII characters that change the meaning of the command line, which can be exploited with malicious filenames to do argument injection or directory traversal attacks. This vulnerability is fixed in 5.6.3. Command line tools built for Cygwin or MSYS2 are unaffected. liblzma is unaffected.
How severe is CVE-2024-47611?
CVE-2024-47611 has a CVSS 4.0 base score of 6.3, rated medium severity.
Is CVE-2024-47611 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (50th percentile), an estimate of the probability of exploitation in the next 30 days.
How do I fix CVE-2024-47611?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2024-47611 have an EU (EUVD) identifier?
Yes. CVE-2024-47611 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-42768.
When was CVE-2024-47611 published?
CVE-2024-47611 was published on 2024-10-02 and last updated on 2026-06-17.

References

Other CWE-88 (Argument Injection) vulnerabilities

Browse all CWE-88 (Argument Injection) vulnerabilities →