Unrated severityNVD Advisory· Published Mar 29, 2024· Updated Nov 20, 2025
Xz: malicious code in distributed source
CVE-2024-3094
Description
Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
35- osv-coords35 versionspkg:apk/chainguard/opensshpkg:apk/chainguard/openssh-clientpkg:apk/chainguard/openssh-docpkg:apk/chainguard/openssh-keygenpkg:apk/chainguard/openssh-keyscanpkg:apk/chainguard/openssh-keysignpkg:apk/chainguard/openssh-pam-configpkg:apk/chainguard/openssh-pam-configurationpkg:apk/chainguard/openssh-pkcs11-helperpkg:apk/chainguard/openssh-serverpkg:apk/chainguard/openssh-server-configpkg:apk/chainguard/openssh-servicepkg:apk/chainguard/openssh-sftp-serverpkg:apk/chainguard/openssh-sk-helperpkg:apk/chainguard/xzpkg:apk/chainguard/xz-devpkg:apk/chainguard/xz-docpkg:apk/wolfi/opensshpkg:apk/wolfi/openssh-clientpkg:apk/wolfi/openssh-docpkg:apk/wolfi/openssh-keygenpkg:apk/wolfi/openssh-keyscanpkg:apk/wolfi/openssh-keysignpkg:apk/wolfi/openssh-pam-configpkg:apk/wolfi/openssh-pam-configurationpkg:apk/wolfi/openssh-pkcs11-helperpkg:apk/wolfi/openssh-serverpkg:apk/wolfi/openssh-server-configpkg:apk/wolfi/openssh-servicepkg:apk/wolfi/openssh-sftp-serverpkg:apk/wolfi/openssh-sk-helperpkg:apk/wolfi/xzpkg:apk/wolfi/xz-devpkg:apk/wolfi/xz-docpkg:rpm/opensuse/xz&distro=openSUSE%20Tumbleweed
< 0+ 34 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 5.6.2-1.1
Patches
Vulnerability mechanics
References
4- access.redhat.com/security/cve/CVE-2024-3094mitrevdb-entryx_refsource_REDHAT
- bugzilla.redhat.com/show_bug.cgimitreissue-trackingx_refsource_REDHAT
- www.openwall.com/lists/oss-security/2024/03/29/4mitre
- www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-usersmitre
News mentions
0No linked articles in our index yet.