CRITICAL · CVSS 10.0
CVE-2024-3094 — XZ Utils backdoor
Multi-year supply-chain compromise injected backdoor into liblzma; SSH server affected.
Affects
- xz-utils 5.6.0 + 5.6.1
What an attacker does
Compromised maintainer pushed obfuscated build-time payload that altered RSA decryption in libsystemd → SSH. Hours-from-Debian-stable disclosure.
How to detect
xz --version | check 5.6.0 or 5.6.1
How to fix
Downgrade to 5.4.x or upgrade past 5.6.1
Securie findingcritical · CVSS 10.0
CVE-2024-3094How Securie catches CVE-2024-3094
Securie's sbom + secrets-lifecycle catch xz-utils version drift.
Scan my repo for CVE-2024-3094 →Securie scans every PR · free during early access