Embedded Malicious Code Affecting tukaani-project/xz package, versions [5.6.0] [5.6.1]



    Attack Complexity Low
    Scope Changed
    Confidentiality High
    Integrity High
    Availability High

    Threat Intelligence

    Social Trends Trending on Twitter
    Exploit Maturity Mature
    EPSS 0.12% (46th percentile)
Expand this section
10 critical
Expand this section
Red Hat
10 critical

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • published 31 Mar 2024
  • disclosed 29 Mar 2024
  • credit Andres Freund

How to fix?

Avoid using all malicious instances of the tukaani-project/xz package.


Affected versions of this package are vulnerable to Embedded Malicious Code in the form of malicious .m4 files in the tarball distributions (which have since been taken down). These malicious build files contain build instructions not present in the upstream repository (https://git.tukaani.org/). The instructions execute a prebuilt object file from one of the tests archives during the build process of the liblzma package. The files mainly containing the obfuscated code are:

  • tests/files/bad-3-corrupt_lzma2.xz
  • tests/files/good-large_compressed.lzma

The malicious tests files were committed upstream, but due to the malicious build instructions not being present in the upstream repository, they were never called or executed.

Specifically, degradation or interruption to the performance of sshd has been observed, and that or other processes may allow unauthenticated remote code execution.

The currently known conditions to enable this backdoor are:

  • xz / liblzma is built for amd64 / x86_64 architecture.
  • Build toolchain uses glibc (for the IFUNC resolver functionality).
  • The package is built for .deb or .rpm based Linux distros.
  • Out of those distros, the payload activates if the running process is /usr/sbin/sshd and uses liblzma.

Current mitigations:

Tarballs signed by Lasse Collin are not infected, and lower versions, including 5.4.5 and 5.4.6, are confirmed to be not affected. Downgrading to a safe version is strongly recommended. If you can't downgrade, you should disable public-facing SSH servers until you can downgrade.


This vulnerability is undergoing further analysis, and the advisory will be updated accordingly.