Synology-SA-24:06 XZ Utils

Publish Time: 2024-04-01 12:02:16 UTC+8

Last Updated: 2024-04-01 12:02:16 UTC+8

Not affected


None of Synology's products are affected by CVE-2024-3094 as this vulnerability only affect XZ Utils 5.6.0 and 5.6.1.

Affected Products

Product Severity Fixed Release Availability
DSM 7.2 Not affected N/A
DSM 7.1 Not affected N/A
DSM 6.2 Not affected N/A
DSMUC 3.1 Not affected N/A
BSM 1.0 Not affected N/A
SRM 1.3 Not affected N/A
VS Firmware 1.0 Not affected N/A
Camera Firmware 1.1 Not affected N/A




  • CVE-2024-3094
    • Severity: Not affected
    • CVSS3 Base Score: 0.0
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:N
    • Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.



Revision Date Description
1 2024-04-01 Initial public release.