.xz

XZ Compressed

XZ is a lossless compression format using the LZMA2 algorithm, developed by Lasse Collin and the Tukaani Project in 2009. It achieves higher compression ratios than gzip and bzip2 and is the standard format for Linux kernel and GNU source tarballs.

Learn more ↓

Archive structure

Header magic bytes

Entries compressed files

Index directory

ArchiveLZMA2CRC64 / SHA-256Streamable2009

By FileDex

Not convertible

XZ decompression requires liblzma not available in browser WASM.

Common questions

How do I open or inspect an XZ file?

Use xz -dk file.xz to decompress while keeping the original, or xzcat file.xz | head to preview content without full extraction. On Windows, 7-Zip opens .xz files natively. Use xz --list file.xz to view compression stats without extracting.

What is the xz-utils backdoor (CVE-2024-3094)?

In March 2024, a supply chain attack was discovered in xz-utils versions 5.6.0 and 5.6.1. Malicious code was injected into the build system that modified liblzma to backdoor sshd on systemd-based Linux distributions. The compromised versions were quickly pulled from package repositories.

Should I use XZ or Zstandard for new projects?

Zstandard is preferred when decompression speed matters — it decompresses 5-10x faster than XZ. XZ is preferred when maximum compression ratio is the priority and decompression speed is less important, such as for archival or one-time distribution downloads.

Does XZ support multi-threaded compression?

Yes. XZ Utils 5.2+ supports multi-threaded compression via xz -T0 (auto-detect cores) or xz -T8 (8 threads). Decompression of multi-threaded output is compatible with any single-threaded xz decoder.

What makes .XZ special

What is an XZ file?

XZ is a lossless data compression format that uses the LZMA2 algorithm to achieve high compression ratios. It is widely used in the Linux ecosystem for distributing source code tarballs and software packages. XZ typically achieves better compression than gzip and bzip2 at the cost of slower compression speed.

Continue reading — full technical deep dive

How to open XZ files

7-Zip (Windows) — Free, open-source
tar (Linux, macOS) — tar -xf archive.tar.xz
xz (Linux, macOS) — xz -d file.xz
PeaZip (Windows, Linux) — Free GUI

Technical specifications

Property	Value
Algorithm	LZMA2
Compression Ratio	Higher than gzip/bzip2
Integrity Check	CRC32, CRC64, SHA-256
Multi-threading	Supported
Decompression RAM	Typically 10-100 MB

Common use cases

Linux packages: Source tarballs (.tar.xz) for distro packaging.
Software distribution: Compressed releases on GNU/Linux.
Archiving: High-ratio compression for long-term storage.
Kernel releases: Linux kernel source archives.

.XZ compared to alternatives

.XZ compared to alternative formats
Formats	Criteria	Winner
.XZ vs .ZST	Decompression speed Zstandard decompresses at 1+ GB/s compared to XZ at roughly 100-200 MB/s. For end-user extraction speed, Zstandard is 5-10x faster.	ZST wins
.XZ vs .ZST	Compression ratio At maximum settings, XZ (LZMA2) typically produces 5-15% smaller files than Zstandard level 22 on most data types.	XZ wins
.XZ vs .GZ	Compression ratio XZ produces significantly smaller output than gzip, often 20-30% smaller on text and source code, due to LZMA2's larger dictionary and advanced modeling.	XZ wins

Technical reference

Specs CLI Conversions Security Ecosystem

MIME Type: application/x-xz
Magic Bytes: FD 37 7A 58 5A 00 XZ signature bytes.
Developer: Lasse Collin / Tukaani Project
Year Introduced: 2009
Open Standard: Yes

00000000FD377A585A00 .7zXZ.

XZ signature bytes.

Binary Structure

An XZ file contains one or more streams, each independently decompressible. Each stream starts with a 12-byte stream header: the 6-byte magic FD 37 7A 58 5A 00, followed by 2 bytes of stream flags (indicating the integrity check type), and a 4-byte CRC32 of the stream flags. The stream body contains one or more blocks, each with a block header (compressed and uncompressed size, filter chain) followed by compressed data and optional padding. After the blocks, an index section records the offset and uncompressed size of each block for random access. The stream ends with a 12-byte stream footer: a 4-byte CRC32, 4 bytes of backward size (pointing to the index), a copy of the stream flags, and the 2-byte footer magic 59 5A (YZ — the original magic reversed).

Offset	Length	Field	Example	Description
`0x00`	`6 bytes`	Stream Header Magic	`FD 37 7A 58 5A 00`	Identifies the file as an XZ compressed stream. The bytes decode as: FD (non-ASCII guard), 7A 58 5A (7XZ in ASCII), 00 (null terminator).
`0x06`	`2 bytes`	Stream Flags	`00 04`	Specifies the integrity check type: 00=None, 01=CRC32, 04=CRC64, 0A=SHA-256.
`0x08`	`4 bytes`	Stream Flags CRC32	`varies`	CRC32 checksum of the 2-byte stream flags field for header integrity verification.
`varies`	`variable`	Block Header	`varies`	Per-block header containing block size, filter chain (LZMA2 + optional delta/BCJ), and header CRC32.
`EOF-12`	`12 bytes`	Stream Footer	`CRC32 + backward size + flags + 59 5A`	Contains CRC32, backward size pointing to the index, stream flags copy, and footer magic 59 5A (YZ).

2005LZMA SDK released by Igor Pavlov as part of 7-Zip; LZMA Utils created as a Unix wrapper2009Lasse Collin releases XZ Utils 4.999.8beta, introducing the .xz format as successor to .lzma2010Linux kernel switches source tarballs from bzip2 to xz compression2014XZ Utils 5.2.0 released with multi-threaded compression support2024CVE-2024-3094: supply chain backdoor discovered in xz-utils 5.6.0 and 5.6.1 targeting sshd via liblzma on systemd-based Linux distributions

Compress a file with xz other

xz -k -9 file.tar

-k keeps the original file. -9 uses maximum compression (LZMA2 with 64 MB dictionary). Output is file.tar.xz.

Decompress an .xz file other

xz -dk file.tar.xz

-d decompresses, -k keeps the original. Produces file.tar.

Multi-threaded compression with xz other

xz -T8 -9 -k largefile.sql

-T8 uses 8 threads for parallel compression. Output is fully compatible with single-threaded xz decompression.

Extract a .tar.xz archive other

tar -xf archive.tar.xz

Modern tar auto-detects xz compression. Extracts all files to the current directory.

Inspect xz file metadata other

xz --list --verbose file.xz

Displays stream count, block sizes, compression ratio, integrity check type, and memory requirements.

XZ → GZ transcode lossless Decompress LZMA2 and recompress with gzip for compatibility with older tools or HTTP content-encoding pipelines that only support gzip.

XZ → ZST transcode lossless Zstandard decompresses 5-10x faster than XZ at similar compression ratios. Useful when switching distribution pipelines to zstd for faster end-user extraction.

LOW

Attack Vectors

Supply chain attack: CVE-2024-3094 injected a backdoor into xz-utils 5.6.0/5.6.1 build artifacts targeting sshd on systemd-based Linux
Decompression bomb: crafted XZ with high compression ratio can exhaust memory if decompression memory limits are not set

Mitigation: FileDex does not decompress, parse, or execute XZ content. Reference page only — no server-side processing.

XZ Utils tool

Reference implementation by Lasse Collin, includes xz, unxz, xzcat, and liblzma

7-Zip tool

Free archiver with full LZMA/LZMA2/XZ support across platforms

pixz tool

Parallel indexed xz compressor with random-access block index

Python lzma module library

Standard library module for reading and writing .xz and .lzma files

XZ for Java library

Pure Java implementation of XZ decompression from the Tukaani Project