Cyber Resilience

CVE-2024-3094

CriticalRCEUpdated

Published: 29 March 2024

Published
29 March 2024
Modified
17 June 2026
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.8597 99.7th percentile
Risk Priority 80 floored blend · peak EPSS

Summary

CVE-2024-3094 is a critical-severity Embedded Malicious Code (CWE-506) vulnerability in Tukaani Xz. Its CVSS base score is 10.0 (Critical).

Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-3094 is a supply-chain compromise affecting the xz compression utilities, specifically versions 5.6.0 and later. Malicious code inserted into the upstream source tarballs uses layered obfuscation to extract a prebuilt object during the liblzma build process; the resulting modified library can then alter the behavior of any application dynamically linked against it.

An attacker who can induce a victim to build or consume the tainted tarballs obtains the ability to intercept and tamper with data handled by liblzma-linked processes. Because the backdoor is present in the shared library itself, exploitation requires no authentication or user interaction and can affect any downstream software that depends on the compromised component, yielding full control over confidentiality, integrity, and availability.

Red Hat and other vendors advise immediately avoiding xz 5.6.0 and 5.6.1, downgrading to an unaffected release such as 5.4.x, and rebuilding any packages that incorporated the tainted library; distribution-specific advisories and updated packages are referenced in the listed URLs.

The EPSS score has remained elevated near its peak of 0.8655, indicating sustained exploitation interest after disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which…

more

is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.

CWE(s)

Related Threats

CVEs Like This One

CVE-2026-48027Shared CWE-506
CVE-2025-54313Shared CWE-506
CVE-2026-6443Shared CWE-506
CVE-2026-33634Shared CWE-506
CVE-2025-30066Shared CWE-506
CVE-2025-30154Shared CWE-506
CVE-2026-45321Shared CWE-506
CVE-2025-59374Shared CWE-506
CVE-2026-34424Shared CWE-506
CVE-2026-8398Shared CWE-506

Affected Assets

tukaani
xz
5.6.0, 5.6.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-506

Restricting software to licensed versions and controlling P2P prevents introduction of software containing embedded malicious code from unauthorized sources.

addresses: CWE-506

The control prevents users from installing software that contains embedded malicious code.

addresses: CWE-506

Regular inventory reviews and updates make it harder to conceal or exploit embedded malicious code by requiring all components to be documented and accounted for.

addresses: CWE-506

Reverting to a known state removes any malicious code embedded by an attacker.

addresses: CWE-506

The approval and review process for maintenance tools can prevent introduction or continued use of tools containing embedded malicious code.

addresses: CWE-506

Supply chain strategy requires vetting and controls during acquisition to prevent or detect insertion of malicious code by vendors or integrators.

addresses: CWE-506

Background screening for development or deployment roles makes intentional insertion of malicious code by insiders materially harder to accomplish.

addresses: CWE-506

The capability explicitly searches for embedded malicious code and backdoors as indicators of compromise.

References