CVE-2024-3094: Backdoor Found in XZ Utils Compression Tool Used by Linux Distributions

Share :

On March 29, 2024, a security researcher disclosed the discovery of malicious code in the most recent versions of XZ Utils data compression tools and libraries. The code contained a backdoor, which a remote threat actor can leverage to break sshd authentication (the service for SSH access) and gain unauthorized access to the system, potentially leading to Remote Code Execution (RCE). This vulnerability was assigned CVE-2024-3094, with a critical CVSS score reaching the maximum of 10.0 as it is a supply chain compromise that affects the entire Linux ecosystem. 

XZ Utils and Linux 

XZ Utils is a widely used tool in nearly every Linux distribution that encompasses command-line tools for file compression and decompression tasks (such as xz, unxz, etc.) as well as a C library called liblzma. 

The malicious code was discovered in versions 5.6.0 and 5.6.1 of XZ Utils, which may have been recently received by users across various Linux distributions in February. Linux distribution vendors, such as Red Hat, Debian, Kali Linux, openSUSE, Alpine, and Arch Linux have either confirmed they patched the issue in their environments or were unaffected by it. 


Although Arctic Wolf has not yet observed active exploitation of this vulnerability, proof of concept (PoC) exploit code is now available. Vulnerabilities that create supply chain compromises, such as Log4Shell in 2021, are highly sought after by threat actors and can have devastating impacts. Arctic Wolf assesses with high confidence that threat actors will likely target this vulnerability in the near future, given its potential impact across the entire Linux ecosystem and the level of access they can achieve upon compromising a system. 

Recommendation for CVE-2024-3094

Follow Guidance from Linux Distribution Vendors 

Arctic Wolf strongly recommends following the guidance provided by Linux distribution vendors as shown in the table below: 

Linux Distribution   Version  Affected?  Recommendation 
Red Hat  Red Hat Enterprise Linux  No  No action needed 
Fedora  Fedora 40 (and Beta version)  No  While not directly affected, Red Hat recommends downgrading XZ Utils to version 5.4 as a precaution 
Fedora Rawhide  Yes  Stop usage until it is reverted to xz-5.4.x (release will be available shortly according to Red Hat) 
Debian  Stable  No  No action needed 
Testing, unstable, and experimental versions ranging from 5.5.1alpha-0.1, up to and including 5.6.1-1.  Yes  Upgrade xz-utils packages 
Kali Linux  Versions updated before March 26  No  No action needed 
Versions from updated between March 26 – March 29  Yes  Apply latest updates per Kali Linux guidance 
openSUSE  Enterprise and Leap  No  No action needed 
Tumbleweed  Yes  Upgrade to newly provided Tumbleweed snapshot 
Alpine  edge-main  Yes  Upgrade to latest version 
Arch Linux  installation medium 2024.03.01  Yes  Upgrade if system has XZ version 5.6.0-1 or 5.6.1-1. 
virtual machine images 20240301.218094 and 20240315.221711  Yes  Upgrade affected images to most recent version 
container images created between and including 2024-02-24 and 2024-03-28  Yes  Upgrade affected images to most recent version 
Other Linux distributions not listed above  Other Linux distributions not listed above  N/A  Arctic Wolf strongly advises users to downgrade XZ Utils to version 5.4 and to stay updated on vendor guidance as they work to address the issue 

Please follow your organization’s patching and testing guidelines to avoid operational impact. 


  1. Red Hat Advisory 
  2. Red Hat (CVE-2024-3094) 
  3. Debian Advisory
  4. Kali Linux Advisory
  5. openSUSE Advisory
  6. Alpine Advisory 
  7. Arch Linux Advisory 
  8. Malicious Code Discovery
  9. CVE-2024-3094 PoC 

See other important security bulletins from Arctic Wolf.

Picture of Andres Ramos

Andres Ramos

Andres Ramos is a Threat Intelligence Researcher at Arctic Wolf with a strong background in tracking emerging threats and producing actionable intelligence for both technical and non-technical stakeholders. He has a diverse background encompassing various domains of cyber security, holds a degree in Cybersecurity Engineering, and is a CISSP.
Share :
Table of Contents
Subscribe to our Monthly Newsletter