VYPR
Unrated severityNVD Advisory· Published Mar 29, 2024· Updated Nov 20, 2025

Xz: malicious code in distributed source

CVE-2024-3094

Description

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

35

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.