Technical Information

A remote code execution vulnerability in XZ Utils, a data compression format present in Linux distributions. A malicious code was found in upstream tarballs of XZ. The liblzma build process extract a prebuilt object file from a disguised test file in source code which is then used to modify specific function in the liblzma code. This malicious build interferes with sshd via systemd which could potentially allow an attacker to break sshd authentication and gain unauthorized access to the entire system remotely.

Information release date: Mar 30, 2024
Patch release date: No patch is available yet
Further information on this vulnerability is available at: CVE-2024-3094