CVE-2024-3094

On 2024-03-29 a malicious backdoor was disclosed in XZ Utils (liblzma and related tools) affecting versions 5.6.0 and 5.6.1; the backdoor can be leveraged to bypass sshd authentication and enable remote code execution. The issue was assigned CVE-2024-3094 with a CVSS score of 10.0, a public proof-of-concept exploit exists, and multiple Linux distribution vendors have issued guidance to patch, downgrade to xz 5.4, or update affected images and snapshots.