What is CVE-2024-3094?

CVE-2024-3094 is a critical-severity vulnerability in Red Hat Enterprise Linux 10, classified under CWE-506. CVSS score: 10.0/10. Published 2024-03-29.

How severe is CVE-2024-3094?

Critical severity. CVSS v3 base score is 10.0 out of 10.

Is CVE-2024-3094 known to be exploited?

205 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

XZ Utils Backdoor — Red Hat Enterprise Linux 10 Vulnerability

CVE-2024-3094

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the sou…

EPSS: 0.851 (99.4th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 10.0 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.

Affected products

Weakness classification (CWE)

CWE-506

Public proof-of-concept exploits

References

access.redhat.com/security/cve/CVE-2024-3094 (vdb-entry, x_refsource_REDHAT)
RHBZ#2272210 (issue-tracking, x_refsource_REDHAT)
www.openwall.com/lists/oss-security/2024/03/29/4
www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users

Frequently asked questions

What is CVE-2024-3094?: CVE-2024-3094 is a critical-severity vulnerability in Red Hat Enterprise Linux 10, classified under CWE-506. CVSS score: 10.0/10. Published 2024-03-29.
How severe is CVE-2024-3094?: Critical severity. CVSS v3 base score is 10.0 out of 10.
Is CVE-2024-3094 known to be exploited?: 205 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.