CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-3094: Xz: malicious code in distributed source

Description

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0.
Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.

Classification

CVE ID: CVE-2024-3094

Exploit Prediction Scoring System (EPSS)

EPSS Score: 34.42% (probability of being exploited)

EPSS Percentile: 97.21% (scored less or equal to compared to others)

EPSS Date: 2025-03-07 (when was this score calculated)

References

https://access.redhat.com/security/cve/CVE-2024-3094
https://bugzilla.redhat.com/show_bug.cgi?id=2272210
https://www.openwall.com/lists/oss-security/2024/03/29/4
https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users

Timeline

2025-02-07 00:31:25 UTC
CVE

Xz: malicious code in distributed source