Critical XZ Utils Backdoor (CVE‑2024‑3094) Threatens Millions of Linux Systems

A critical security alert (CVE‑2024‑3094) has been issued for XZ Utils, the compression tool used widely across Linux distributions. Versions 5.6.0 (released end of February) and 5.6.1 (released March 9) contain a hidden backdoor that can bypass sshd authentication and give an attacker full remote control of the system.

The backdoor was discovered by Andres Freund, a PostgreSQL developer and Microsoft software engineer, after noticing unusually high CPU usage during SSH logins on a Debian sid installation. He traced the issue to malicious code injected into the upstream XZ repository and packaged as part of liblzma.

The malicious payload is concealed using obfuscation techniques. Red Hat’s analysis shows that the official XZ Utils Git release does not contain the M4 macro that triggers the payload, but auxiliary build‑time components remain ready to execute the macro when present.

“During the past weeks I observed strange symptoms around liblzma in Debian sid (high CPU during SSH, valgrind errors) and found that the upstream xz repository and tarball had been backdoored,” Freund wrote.

The attack chain works as follows: a crafted .m4 file is used during the build of liblzma; the resulting liblzma is linked into systemd-notify (part of systemd). When OpenSSH starts, it loads liblzma, and the function RSA_public_decrypt is redirected to malicious code, effectively bypassing authentication.

Investigation linked the malicious changes to a user named JiaT75 , one of the two main XZ Utils developers. A separate user, Jia Tan, attempted to push the compromised package to Ubuntu’s repository, but the effort was halted.

Fedora developers reported similar attempts to include the backdoored package in Fedora 40 Beta and the upcoming Fedora 41, prompting urgent remediation.

What is XZ Utils?

XZ Utils is a collection of tools for compressing and decompressing files in the XZ format, which offers high compression ratios for storage and transmission. The package includes the xz command for compression, unxz (or xz --decompress) for decompression, and various utilities for testing, comparing, and repairing XZ archives. These tools are essential on most Linux systems for handling compressed logs, packages, and other data.

Affected Linux Distributions

Debian

Only testing, unstable, and experimental releases are affected, covering package versions from 5.5.1alpha-0.1 (uploaded 2024‑02‑01) to 5.6.1-1. The packages have been reverted to upstream 5.4.5 code and re‑released as 5.6.1+really5.4.5-1. Users of Debian testing/unstable should update the xz-utils package.

Fedora

Fedora Rawhide users likely received the compromised package, and Fedora 40 Beta users who pull from testing repositories may also be affected. Users staying on the stable repository are not impacted. Fedora Rawhide usage is discouraged until the issue is resolved.

Red Hat

No Red Hat Enterprise Linux (RHEL) versions are affected.

Arch Linux

Arch images containing the vulnerable xz include:

Virtual machine image 20240301

Virtual machine images 20240301.218094 and 20240315.221711

Container images created between 2024‑02‑24 and 2024‑03‑28

These packages have been removed from Arch mirrors; users should upgrade to the latest xz version.

SUSE / openSUSE

SUSE Linux Enterprise and Leap are built independently from openSUSE Tumbleweed; the malicious file does not exist in those releases.

openSUSE Tumbleweed maintainers reverted the xz version on 2024‑03‑28 and published a new snapshot built from a clean backup.

All users are advised to verify their installed xz version (5.6.0‑1 or 5.6.1‑1 are vulnerable) and perform a full system upgrade.

The incident demonstrates a sophisticated, pre‑planned attempt to infiltrate millions of Linux users by inserting a backdoor into a core compression library and propagating it through regular distribution updates.