CVE DATABASE  /  CVE-2024-3094

CVE-2024-3094

Summary

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.

CVSS 3.1 breakdown

Weakness type (CWE)

• CWE-506

Affected products

Our coverage

• IBM Red Hat Project Lightwell Pledges $5B for Open Source Security
• DAEMON Tools Supply Chain Attack Deploys QUIC RAT Backdoor

References

• https://access.redhat.com/security/cve/CVE-2024-3094
• https://bugzilla.redhat.com/show_bug.cgi?id=2272210
• https://www.openwall.com/lists/oss-security/2024/03/29/4
• https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
• http://www.openwall.com/lists/oss-security/2024/03/29/10
• http://www.openwall.com/lists/oss-security/2024/03/29/12
• http://www.openwall.com/lists/oss-security/2024/03/29/4
• http://www.openwall.com/lists/oss-security/2024/03/29/5
• http://www.openwall.com/lists/oss-security/2024/03/29/8
• http://www.openwall.com/lists/oss-security/2024/03/30/12
• http://www.openwall.com/lists/oss-security/2024/03/30/27
• http://www.openwall.com/lists/oss-security/2024/03/30/36
• http://www.openwall.com/lists/oss-security/2024/03/30/5
• http://www.openwall.com/lists/oss-security/2024/04/16/5
• https://ariadne.space/2024/04/02/the-xz-utils-backdoor-is-a-symptom-of-a-larger-problem/

Data: NIST NVD. NVD last modified 2025-08-19. Always verify against the vendor advisory before acting.