CVE-2024-3094: xz/liblzma backdoor
CVE-2024-3094 (xz/liblzma backdoor) is a supply-chain backdoor vulnerability in xz-utils / liblzma (5.6.0, 5.6.1) (Linux distro). As of 2026-06-18 it carries a very high 86.0% probability of exploitation in the next 30 days (EPSS). It is fixed in downgrade to 5.4.x (or a patched distro build) — if you depend on an earlier version, upgrade.
| Severity | Critical |
|---|---|
| CVSS vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| EPSS (exploit probability, 30d) | 86.0% · 100th percentile |
| Vulnerability type | Supply-Chain Backdoor |
| Affected package | xz-utils / liblzma (5.6.0, 5.6.1) (Linux distro) |
| Fixed in | downgrade to 5.4.x (or a patched distro build) |
What is CVE-2024-3094?
A malicious maintainer planted a backdoor in the xz/liblzma build for versions 5.6.0 and 5.6.1 that could allow SSH authentication bypass / remote code execution on affected systems. The textbook modern supply-chain compromise.
Is CVE-2024-3094 exploitable?
CVE-2024-3094 has an EPSS score of 86.0% (100th percentile), meaning a very high 86.0% probability of exploitation in the next 30 days. Its CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, which scores as Critical severity. It is a supply-chain backdoor issue.
What is the EPSS score for CVE-2024-3094?
As of 2026-06-18, the EPSS exploit-prediction score for CVE-2024-3094 is 86.0% (100th percentile). EPSS estimates the probability that a vulnerability will be exploited in the wild within the next 30 days and is recomputed daily by FIRST.org.
How do I fix CVE-2024-3094?
Upgrade xz-utils / liblzma (5.6.0, 5.6.1) to downgrade to 5.4.x (or a patched distro build) or later. A malicious maintainer planted a backdoor in the xz/liblzma build for versions 5.6.0 and 5.6.1 that could allow SSH authentication bypass / remote code execution on affected systems. The textbook modern supply-chain compromise.
Am I affected by CVE-2024-3094?
You are affected if your project (directly or transitively) depends on a vulnerable version of xz-utils / liblzma (5.6.0, 5.6.1) in the Linux distro ecosystem. Check your lockfile for the resolved version, or scan automatically with VulnFeed.
Check your own project automatically
Don't eyeball every dependency by hand. VulnFeed reads your lockfile, checks it against the same advisory data, and ranks findings by EPSS — free, no signup (10 scans/day):
curl -s https://vulnfeed-api.novadyne.ai/vulnscan/query \
-H 'content-type: application/json' \
-d '{"ecosystem":"npm","package":"PKG","version":"VERSION"}'
Or run it inside Claude Code with no API key — uvx vulnfeed-mcp — and just ask "scan this project for vulnerabilities."
Data sources: vulnerability metadata from OSV.dev and the National Vulnerability Database; exploit-probability (EPSS) from FIRST.org (recomputed daily; EPSS data shown here as of 2026-06-18). Page generated 2026-06-18.