CVE-2024-3094 CRITICAL

CVE-2024-3094: Xz: malicious code in distributed source

Vendor Red Hat
Product Red Hat Enterprise Linux 10
Weakness CWE-506
Published March 29, 2024
Last update November 20, 2025

CVSS base score

10.0/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.

Key dates

02Disclosure timeline

March 29, 2024 CVE published
November 20, 2025 Record updated