Home / Threat Intelligence bulletins / Security flaw in XZ Utils data compression library affects multiple Linux distributions

Target Industry

Indiscriminate, opportunistic targeting.


Red Hat Linux recently disclosed details surrounding a critical code injection vulnerability, tracked as CVE-2024-3094 (CVSSv3.1 score: 10), resulting from a supply chain compromise impacting versions 5.6.0 and 5.6.1 of XZ Utils. XZ Utils is data compression software included in major Linux distributions.


Successful exploitation of CVE-2024-3094 would likely allow a threat actor to leverage malicious code to modify the liblzma library that can be utilised by any software linked against this library and under certain conditions this code may result in unauthorised access to affected systems.

Affected Products

The vulnerability impacts several Linux operating systems, including:

  • Fedora Linux 40
  • Fedora Rawhide
  • openSUSE Tumbleweed
  • openSUSE MicroOS
  • Debian testing, unstable, and experimental versions
  • Kali Linux


The following Linux distributions are not affected by CVE-2024-3094:

  • Red Hat Enterprise Linux (RHEL)
  • All Debian stable releases
  • Amazon Linux
  • Ubuntu

Containment, Mitigations & Remediations

As of the time of writing, there is no remediation for the affected packages. It is therefore strongly recommended that users revert all the affected packages to use the 5.4.x versions of XZ Utils (5.4.6 Stable is the latest uncompromised version) and to discontinue use of platforms that do not currently have a stable version available.

Indicators of Compromise

No specific Indicators of Compromise (IoCs) are available currently.

Threat Landscape

XZ Utils is a free, CLI controlled, compression software that exists in many popular Linux distributions and contains the programmes lzma and xz. The software is a dependency in many other packages, including OpenSSH used for remote access to Linux hosts.

Given that Linux occupies a significant proportion of the operating system market share, in conjunction with threat actors relying on a combination of probability and asset value to determine which attack surfaces to focus on, Linux products often emerge as prime targets for offensive efforts. Due to the fact that Linux products have become an integral aspect of personal and business affairs, threat actors will continue to exploit vulnerabilities in an attempt to exfiltrate sensitive data contained therein or impact associated business operations.

Threat Group

No attribution to specific threat actors or groups has been identified at the time of writing.

Mitre Methodologies

Common Weakness Enumeration

CWE-506 – Embedded Malicious Code

Further Information

Unit42 Analysis