CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad

CVE-2024-3094
10.086.00%

CVE-2024-3094: The XZ Backdoor We Almost Missed

Alon Barad
Alon Barad
Software Engineer

Jan 6, 2026·7 min read·15 visits

Weaponized

Executive Summary (TL;DR)

A malicious actor spent years gaining trust to become an open-source maintainer, then injected a highly obfuscated backdoor into a core Linux compression library (XZ/liblzma). The backdoor targets SSH servers, allowing complete system takeover. A lone developer noticed a 500ms login delay and unraveled one of the most audacious supply chain attacks ever conceived.

CVE-2024-3094 documents a sophisticated, multi-year supply chain attack targeting the XZ Utils data compression library, a ubiquitous component in most Linux distributions. Malicious code was deliberately and stealthily inserted into the release tarballs for versions 5.6.0 and 5.6.1. This code, activated during the software build process, creates a backdoor in the `liblzma` library, specifically targeting OpenSSH servers to allow remote, unauthenticated attackers to execute arbitrary code. The discovery of this backdoor, which narrowly averted a global security catastrophe, was made by a developer investigating a minor performance lag in SSH connections.

Technical Appendix

CVSS Score
10.0/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Probability
86.00%
Top 1% most exploited

Affected Systems

XZ Utils versions 5.6.0 and 5.6.1Linux distributions that incorporated these versions into their testing/unstable/rolling-release branches, such as Fedora Rawhide, Debian testing/unstable, and Arch Linux.

Affected Versions Detail

Product
Affected Versions
Fixed Version
XZ Utils
tukaani
5.6.0Revert to < 5.6.0
XZ Utils
tukaani
5.6.1Revert to < 5.6.0
AttributeDetail
CWE IDCWE-506: Embedded Malicious Code
Attack VectorNetwork (AV:N)
Attack ComplexityLow (AC:L)
Privileges RequiredNone (PR:N)
ImpactComplete system compromise (Confidentiality, Integrity, Availability are all High)
CVSS v3.1 Score10.0 (Critical)
EPSS Score85.99% (Probability of exploitation)
KEV StatusNot Listed (Discovered before widespread exploitation)

MITRE ATT&CK Mapping

T1199Trusted Developer
Initial Access
T1036Masquerading
Defense Evasion
T1556Modify Authentication Process
Credential Access
T1190Exploit Public-Facing Application
Initial Access
CWE-506
Embedded Malicious Code

The product contains code that appears to be a backdoor or hidden functionality.

Known Exploits & Detection

GitHubNotes, honeypot, and exploit demonstration for the xz backdoor (CVE-2024-3094).
GitHubAn SSH honeypot with the XZ backdoor to study attack attempts.
NucleiDetection Template Available

Vulnerability Timeline

Andres Freund publicly discloses the backdoor on the oss-security mailing list.
2024-03-29
CVE-2024-3094 is published.
2024-03-29
Major Linux distributions issue urgent security advisories and begin rolling back to safe versions.
2024-03-29

References & Sources

  • [1]Initial Disclosure by Andres Freund on oss-security mailing list
  • [2]Red Hat Security Advisory for CVE-2024-3094
  • [3]GitHub Advisory Database Entry

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.