XZ Utils Backdoor (CVE-2024-3094).

A nearly successful 2024 supply-chain attack in which a long-term contributor planted an obfuscated SSH backdoor in the upstream xz/liblzma library shipped by most Linux distributions. It belongs to the Attacks & Threats category of cybersecurity.

A nearly successful 2024 supply-chain attack in which a long-term contributor planted an obfuscated SSH backdoor in the upstream xz/liblzma library shipped by most Linux distributions.

The XZ Utils backdoor (CVE-2024-3094) is a software supply-chain compromise disclosed on 29 March 2024 by Microsoft engineer Andres Freund, who noticed unusual CPU usage and Valgrind errors from sshd on a Debian sid system. Investigation revealed that the xz/liblzma upstream maintainer 'Jia Tan' — a persona that had spent roughly two years building trust on the project — had committed obfuscated build-time scripts that, when packaged on rpm- or deb-based distributions with systemd's libsystemd → liblzma dependency, replaced an OpenSSH-server function via IFUNC resolvers and enabled remote code execution for a holder of a specific Ed448 private key. The malicious code shipped in xz-utils 5.6.0 and 5.6.1 and reached Debian testing/unstable, Fedora 40/41 (Rawhide), openSUSE Tumbleweed, Kali, and Arch, but was caught before most stable releases. The incident reshaped industry thinking about single-maintainer open-source dependencies, IFUNC-based stealth, and the limits of trust in long-tenured contributors.

Defences for XZ Utils Backdoor (CVE-2024-3094) typically combine technical controls and operational practices, as detailed in the full definition above.

Common alternative names include: CVE-2024-3094, Jia Tan backdoor, liblzma backdoor.