Unrated severityNVD Advisory· Published Mar 29, 2024· Updated Nov 20, 2025

Xz: malicious code in distributed source

CVE-2024-3094

Description

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.

Affected products

/v5
Range: 5.6.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

access.redhat.com/security/cve/CVE-2024-3094mitrevdb-entryx_refsource_REDHAT
bugzilla.redhat.com/show_bug.cgimitreissue-trackingx_refsource_REDHAT
www.openwall.com/lists/oss-security/2024/03/29/4mitre
www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-usersmitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.068
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000