Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. 
Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.
                
            Metrics
Affected Vendors & Products
References
        History
                    Tue, 19 Aug 2025 01:30:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| References |  | 
Wed, 16 Jul 2025 13:45:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Metrics | epss 
 | epss 
 | 
Mon, 14 Jul 2025 13:45:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Metrics | epss 
 | epss 
 | 
Sat, 12 Jul 2025 13:45:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Metrics | epss 
 | epss 
 | 
Sat, 05 Jul 2025 03:00:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| CPEs | cpe:/o:redhat:enterprise_linux:10 | 
Thu, 06 Feb 2025 09:15:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Metrics | ssvc 
 | 
 MITRE
                        MITRE
                    Status: PUBLISHED
Assigner: redhat
Published: 2024-03-29T16:51:12.588Z
Updated: 2025-08-19T01:03:12.439Z
Reserved: 2024-03-29T15:38:13.249Z
Link: CVE-2024-3094
 Vulnrichment
                        Vulnrichment
                    Updated: 2025-08-19T00:24:09.962Z
 NVD
                        NVD
                    Status : Modified
Published: 2024-03-29T17:15:21.150
Modified: 2025-08-19T01:15:57.407
Link: CVE-2024-3094
 Redhat
                        Redhat