Description
vcpkg is a free and open-source C/C++ package manager. Prior to version 3.6.1#3, vcpkg's Windows builds of OpenSSL set openssldir to a path on the build machine, making that path be attackable later on customer machines. This issue has been patched in version 3.6.1#3.
Published: 2026-03-31
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Local code execution via modified configuration
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises in Microsoft vcpkg’s Windows builds of OpenSSL, where the openssldir setting is hard‑coded to a path on the build machine. This creates an uncontrolled search path element (CWE‑427) that allows an attacker to place malicious files—such as a disallowed configuration or override libraries—in that directory. If such files are loaded, an attacker could modify OpenSSL behaviour or execute arbitrary code on the affected system.

Affected Systems

Microsoft vcpkg for Windows platforms, specifically the OpenSSL packages prior to version 3.6.1#3. The curated patch in 3.6.1#3 removes the unsafe build‑time path setting; any systems using earlier vcpkg releases are susceptible.

Risk and Exploitability

The CVSS base score is 7.8, indicating a high severity of potential impact. Exploitation likelihood is not quantified by EPSS and the vulnerability is not listed in the CISA KEV catalog, suggesting it is not yet known to be actively exploited. The attack vector is inferred to be local or supply‑chain, requiring the attacker to supply or modify a build machine, or to insert malicious files into the specified directory after installation. Once the vulnerable path is used, the attacker can achieve code execution or unauthorized configuration of OpenSSL, compromising confidentiality, integrity, or availability of the affected system.

Generated by OpenCVE AI on March 31, 2026 at 05:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade vcpkg to version 3.6.1#3 or later to receive the fixed OpenSSL build.
  • If an upgrade is not immediately possible, remove or block the exposed build‑time directory from the system’s search path and validate that the openssldir setting points to a secure, non‑shared location.
  • Verify that no untrusted or mutable directories remain in OpenSSL’s configuration path.
  • Regularly monitor Microsoft vcpkg security advisories for updates or additional mitigation steps.

Generated by OpenCVE AI on March 31, 2026 at 05:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft
Microsoft vcpkg
Vendors & Products Microsoft
Microsoft vcpkg

Tue, 31 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Description vcpkg is a free and open-source C/C++ package manager. Prior to version 3.6.1#3, vcpkg's Windows builds of OpenSSL set openssldir to a path on the build machine, making that path be attackable later on customer machines. This issue has been patched in version 3.6.1#3.
Title openssl on Windows built with openssldir set from the build machine (Uncontrolled Search Path Element)
Weaknesses CWE-427
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Microsoft Vcpkg
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T03:55:58.861Z

Reserved: 2026-03-25T15:29:04.746Z

Link: CVE-2026-34054

cve-icon Vulnrichment

Updated: 2026-03-31T15:35:39.288Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-31T03:15:58.593

Modified: 2026-04-01T14:24:02.583

Link: CVE-2026-34054

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:10:34Z

Weaknesses