CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2024-3094

CVSS 10.0v3.1pub. 2024-03-29upd. 2025-08-19

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.

🤖 AI Analysis
How it works

The malicious code is hidden in a disguised test file contained in the source code. During the liblzma library build process, an extraction script retrieves a precompiled binary object from this file and uses it to modify selected functions in the liblzma library. As a result, a modified version of the library is created that intercepts and modifies data exchanged by software using this library. The entire mechanism is based on a series of complex obfuscation techniques, which makes detection of malicious code difficult during standard inspection.

Impact

An attacker can intercept and modify data processed by any software linked with the infected liblzma library, which in practice can lead to unauthorized access, violation of data confidentiality and integrity, and in the worst case scenario to remote code execution (RCE).

Mitigation & patch

The xz/liblzma library should be immediately downgraded to a version preceding 5.6.0 (e.g., 5.4.x) or patches available from the distribution vendor should be applied according to references. Red Hat issued an urgent security alert for Fedora 41 and Rawhide users — follow the guidelines provided by your distribution vendor.

Who is affected

The xz library (liblzma) in versions 5.6.0 and newer, distributed as official source archives (tarballs) by the Tukaani project; affects any system or software that was built using the vulnerable version of the library

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Tukaani Xz

    APP
    Tukaani
    5.6.05.6.1
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References

Related vulnerabilities

CVE-2022-1271HIGH8.8ten sam produkt

An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the atta...

CVE-2015-4035HIGH7.8ten sam produkt

scripts/xzgrep.in in xzgrep 5.2.x before 5.2.0, before 5.0.0 does not properly process file names containing s...

CVE-2020-22916MEDIUM5.5ten sam produkt

An issue discovered in XZ 5.2.5 allows attackers to cause a denial of service via decompression of a crafted f...

CVE-2026-34743LOW1.7ten sam produkt

XZ Utils to biblioteka do kompresji danych ogólnego przeznaczenia wraz z narzędziami wiersza poleceń. W wersja...