CVE-2024-3094 — xz / liblzma supply-chain backdoor
Malicious code committed to xz-utils 5.6.0 and 5.6.1 by a long-game maintainer ("Jia Tan") that targeted sshd via liblzma. When loaded into sshd through systemd's linker chain, it allowed pre-auth RCE for an attacker holding a private key.
TL;DR
- Critical (CVSS 10.0), but never reached most stable distro releases — caught by Andres Freund 2024-03-29.
- Affected: xz-utils 5.6.0 and 5.6.1 only. Stable Debian 12, Ubuntu 22.04 / 24.04, RHEL family were never exposed.
- Realistic homelab risk: low for stable-release users, real for rolling-release users (Arch, Tumbleweed, Fedora Rawhide) who installed during the ~38-day window.
- Fix: downgrade to 5.4.x or upgrade to 5.6.2+. Most distros pushed a security update within 48 hours.
- Ongoing lesson: pin to stable distro branches, run unattended-upgrades, and treat upstream-only installs as supply-chain exposure.
At a glance
| CVE ID | CVE-2024-3094 |
|---|---|
| Severity | Critical (CVSS 10.0) |
| CVSS 3.1 score | 10.0 |
| CVSS vector | AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| CWE | CWE-506 (Embedded Malicious Code) |
| EPSS (probability of exploit, 30-day) | 0.9+ |
| CISA KEV listed | No (CISA issued an alert but did not add to KEV — the backdoor was caught before in-the-wild exploitation) |
| Published | 2024-03-29 |
| Last updated (NVD) | 2024-04-15 |
Affected versions and fix paths
Per-distro fix versions for the packages most homelab fleets run. Match the installed version on your host against the vulnerable column; upgrade to the fixed column.
| Package / distro | Vulnerable | Fixed in |
|---|---|---|
| xz-utils | 5.6.0, 5.6.1 | 5.6.2 (revert to 5.4.x branch) |
| Debian 12 (stable) | Not shipped — backdoor caught before stable | n/a |
| Debian sid / testing | 5.6.0, 5.6.1 (briefly) | 5.6.1+really5.4.5-1 |
| Ubuntu 22.04, 24.04 (stable) | Not shipped | n/a |
| Ubuntu 24.04 (proposed, briefly) | 5.6.1 | 5.6.1+really5.4.5-1build0.24.04 |
| Fedora Rawhide / 40 / 41 | 5.6.0, 5.6.1 | 5.4.x (downgraded) |
| Arch Linux | 5.6.0, 5.6.1 (briefly) | 5.6.1-2 (revert) |
| openSUSE Tumbleweed | 5.6.0, 5.6.1 (briefly) | 5.4.x (downgraded) |
| Homebrew (macOS) | 5.6.0 (briefly) | 5.4.6 |
Quick scan check
Run this on each homelab host to determine the installed version. Compare against the table above.
xz --version | head -1
# or
dpkg -s xz-utils 2>/dev/null | grep ^Version # Debian/Ubuntu
rpm -q xz # RHEL familyIf the version string starts with 5.6.0 or 5.6.1, the host may have shipped the backdoored upstream tarball — check the distro fix table above. Anything 5.4.x or ≥5.6.2 is safe.
What Noxen does about this
Noxen detects vulnerable xz versions across your fleet automatically — the package-manifest probe inventories xz-utils / xz on every Linux host you've enrolled, and flags any version in the affected range against the live feed.
The deep-dive
For the full narrative — disclosure timeline, exploit mechanics, defence-in-depth context, and homelab-shape risk assessment — read CVE-2024-3094 (xz/liblzma backdoor) — what homelabs had to fear and how to check on the Noxen blog.
Authoritative sources
- NVD entry for CVE-2024-3094
- cve.org record
- FIRST EPSS API for CVE-2024-3094
- CISA KEV catalogue (search for CVE-2024-3094)
See what Noxen does about CVEs like this → More on CVE management →