Skip to content
← Browse CVEs

CVE-2024-3094

Critical · CVSS 10EPSS 86.0%CWE-506 · Embedded Malicious Code

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.

References

NVD MITRE CVE.org

Published

Community ground truth

Community verdict

3 verdicts
Not a real issue

Includes TruePositive's curated baseline from public sources — community verdicts accrue on top.

to add your verdict.

Community real-world severity: High (High 2 · Medium 1) — CVSS base score 10

Practitioners rate this lower than its CVSS — likely over-rated by the score.

Field notes & remediation

Verdicts are the quick signal — notes are the evidence and fixes behind them.

  • 0
    Field note · Marco FerriCurated

    CVSS 10 and rightly so in potential — a supply-chain SSH auth bypass. But in practice it was caught (thanks Andres Freund) before it reached stable releases. Only xz 5.6.0/5.6.1 on glibc+systemd-linked sshd, mostly bleeding-edge distros (Fedora 40/Rawhide, Debian sid, Kali, Arch). No confirmed in-the-wild exploitation. Real, but real-world blast radius was small.

  • 0
    Remediation · Lin WeiCurated

    Downgrade xz/liblzma to a known-good version (≤5.4.x) and verify with your distro's advisory. Inventory anything that pulled testing/unstable repos in March 2024.