Summary
xz utils is a popular data compression library found in many Linux distributions. The critical vulnerability found in recent versions of the xz library, liblzma, includes a malicious code injection designed to allow unauthorized remote access[5].
When a specific set of conditions are met, requiring a vulnerable OS with a vulnerable version of xz and a publicly-accessible sshd, it is possible that an attacker, possessing a specific private key, may be able to execute arbitrary commands on the system[6].
Impact
Remote Code Execution/Unauthorized Remote Access
Vulnerable
xz versions 5.6.0 (released February 24) and 5.6.1 (released March 9) are affected. Affected packages are present in Fedora 41 and Fedora Rawhide[2], Arch linux, Kali Linux, openSUSE tumbleweed and microOS, and Debian testing, unstable, and experimental versions[3].
No versions of Red Hat Enterprise Linux (RHEL) are affected[2].
Recommendations
xz utils 5.6.x is no longer considered trustworthy and as a precaution, we recommend downgrading any packages and OS systems to use xz utils 5.4.6.