CVE-2024-3094 | Malicious code was discovered in the upstream tarballs of xz… | CVSS 10.0 CRITICAL

Description

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.

Metadata

CVE ID: CVE-2024-3094
State: PUBLISHED
Assigner: redhat
Reserved: 2024-03-29 15:38 UTC
Published: 2024-03-29 16:51 UTC
Last updated: 2025-11-20 07:17 UTC
Primary CWE: CWE-506
Embedded Malicious Code
Sources: cve.org · NVD

Severity & Metrics

10.0 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: total

Affected products (7)

Vendor	Product	Platform	Versions
—	—	—	5.6.0, 5.6.1
Red Hat	Red Hat Enterprise Linux 10	—	—
Red Hat	Red Hat Enterprise Linux 6	—	—
Red Hat	Red Hat Enterprise Linux 7	—	—
Red Hat	Red Hat Enterprise Linux 8	—	—
Red Hat	Red Hat Enterprise Linux 9	—	—
Red Hat	Red Hat JBoss Enterprise Application Platform 8	—	—

Weakness (CWE)

CWE	Source	Description
CWE-506	cna	Embedded Malicious Code

CVSS scores (1)

Score	Severity	Version	Source	Vector
10.0	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References (4)