According to aDiscourse post, the beta for Ubuntu 24.04 (codename: Noble Numbat) , which was due to be released tomorrow has been delayed and now we should expect it on April 11. The reason for the delay is said to beCVE-2024-3094— otherwise known as the XZ compression tools, which were compromised with malicious code.
This delay also leads to speculation that the upcoming 24.04 launch — slated for April 25 — could possibly be delayed.
In the Discourse post, Łukasz ‘sil2100’ Zemczak announced that Canonical, the company behind Ubuntu, has “made the decision to remove and rebuild all binary packages that had been built for Noble Numbat after the CVE-2024-3094 code was committed to xz-utils (February 26th), on newly provisioned build environments.“This means that any binaries built for the latest Ubuntu release will not be impacted by the recent threat introduced via xz-utils.
The threat, which also triggered Red Hat to release anurgent security alert, sees malicious code being introduced to versions 5.6.0 and 5.6.1 of xz-utils. This code appears to introduce a backdoor into systems. According to anOpenwall mailing list postby Andres Freund:
“After observing a few odd symptoms around liblzma (part of the xz package) on Debian sid installations over the last weeks (logins with ssh taking a lot of CPU, valgrind errors) I figured out the answer:
The upstream xz repository and the xz tarballs have been backdoored.”
Thexz-utilspackage is used to compress files / directories using the XZ compression format, commonly used on Linux and Unix machines. At the time of writing, Ubuntu 24.04 (Noble Numbat) is using version 5.6.1 of xz-utils, which was one of the two affected versions. By rebuilding the packages with known good code build environments, Canonical claims that it “provides us with confidence that no binary in our builds could have been affected by this emerging threat.”
Get Tom’s Hardware’s best news and in-depth reviews, straight to your inbox.
The impact on the beta is that we will now have to wait an extra week before we can get a hands-on with something approaching the final release (there is generally a release just before launch, which is considered a release candidate). Of course there aredaily buildsthat we can try out, but we can’t guarantee they are free of the malicious code.
Does this mean the April 25 release date will be pushed back? Ex-Canonical employee and well known Linux podcaster Alan “Popey” Pope ran a poll on Mastodon asking if Ubuntu 24.04 might be delayed. At the time of writing, 58% believe that it will be released on time, while 42% fear that it may be delayed.
The last time that an Ubuntu release was delayed was back in 2006: Ubuntu 6.06 “Dapper Drake” was delayed by two months to give the team more time to implement extra features for what was to become a pivotal Linux distro. Ubuntu 6.06 saw the merging of a live and install CD, along with a graphical installer and a means to install the OS to a USB drive.
Are other Linux distros affected?
According to a list compiled byhelpnetsecurity.com, it is a bit of a mixed bag:
We did check ourRaspberry Pi 5running the latest Raspberry Pi OS (Kernel 6.6.20 from June 20, 2025), and checking the version number for xz returned version 5.4.1. So, all appears well for our favorite single board computer.
Les Pounder is an associate editor at Tom’s Hardware. He is a creative technologist and for seven years has created projects to educate and inspire minds both young and old. He has worked with the Raspberry Pi Foundation to write and deliver their teacher training program “Picademy”.
