XZ Utils Vulnerability Response (Apr 5, 2024)


Vulnerability CVE-2024-3094 has been reported for malicious code being embedded in XZ Utils versions 5.6.0 and 5.6.1. XZ Utils is data compression software and may be present in Linux distributions.

Date of publication

April 5th, 2024


Malicious code was discovered in the upstream tarballs of xz versions 5.6.0 and 5.6.1. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.


It was found that malicious code interfered with the OpenSSH daemon. While OpenSSH is not directly linked to the liblzma library, it does communicate with systemd in such a way that exposes it to the malware due to systemd linking to liblzma.


No action is required as HYCU does not use the affected version of liblzma.


Was this article helpful?
0 out of 0 found this helpful



Please sign in to leave a comment.