CVE-2024-3094
Published: 29 March 2024
Summary
CVE-2024-3094 is a critical-severity Embedded Malicious Code (CWE-506) vulnerability in Tukaani Xz. Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-3094 is a supply-chain compromise affecting the xz compression utilities, specifically versions 5.6.0 and later. Malicious code inserted into the upstream source tarballs uses layered obfuscation to extract a prebuilt object during the liblzma build process; the resulting modified library can then alter the behavior of any application dynamically linked against it.
An attacker who can induce a victim to build or consume the tainted tarballs obtains the ability to intercept and tamper with data handled by liblzma-linked processes. Because the backdoor is present in the shared library itself, exploitation requires no authentication or user interaction and can affect any downstream software that depends on the compromised component, yielding full control over confidentiality, integrity, and availability.
Red Hat and other vendors advise immediately avoiding xz 5.6.0 and 5.6.1, downgrading to an unaffected release such as 5.4.x, and rebuilding any packages that incorporated the tainted library; distribution-specific advisories and updated packages are referenced in the listed URLs.
The EPSS score has remained elevated near its peak of 0.8655, indicating sustained exploitation interest after disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-31700
Vulnerability details
Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which…
more
is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.
- CWE(s)
Related Threats
CVEs Like This One
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Restricting software to licensed versions and controlling P2P prevents introduction of software containing embedded malicious code from unauthorized sources.
The control prevents users from installing software that contains embedded malicious code.
Regular inventory reviews and updates make it harder to conceal or exploit embedded malicious code by requiring all components to be documented and accounted for.
Reverting to a known state removes any malicious code embedded by an attacker.
The approval and review process for maintenance tools can prevent introduction or continued use of tools containing embedded malicious code.
Supply chain strategy requires vetting and controls during acquisition to prevent or detect insertion of malicious code by vendors or integrators.
Background screening for development or deployment roles makes intentional insertion of malicious code by insiders materially harder to accomplish.
The capability explicitly searches for embedded malicious code and backdoors as indicators of compromise.