CVE-2026-34054
Path Disclosure in vcpkg OpenSSL Windows Builds Pre
Publication date: 2026-03-31
Last updated on: 2026-03-31
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| microsoft | vcpkg | to 3.6.1#3 (exc) |
| openssl | openssl | to 3.6.1#3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-427 | The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can lead to an elevation of privilege on affected systems. Specifically, an attacker with low privileges can create a directory structure matching the hardcoded `openssldir` path and place malicious modules or DLLs there.
When OpenSSL runs under a higher-privileged user, it may load these malicious files, allowing the attacker to execute code with elevated privileges. This compromises confidentiality, integrity, and availability of the system, as indicated by the CVSS score metrics.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in CVE-2026-34054 allows an attacker with low privileges to place malicious files in a directory path that OpenSSL will later load with higher privileges, leading to elevation of privilege. This can result in unauthorized access, modification, or disruption of sensitive data and system integrity.
Such unauthorized access and potential data compromise could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and maintaining system integrity and confidentiality.
By allowing privilege escalation through uncontrolled search path elements, this vulnerability increases the risk of data breaches and unauthorized system changes, which are critical concerns under these regulations.
The patch and mitigation efforts, which remove the unsafe setting of the openssldir path and rely on secure default directories requiring administrative privileges, help reduce this risk and support compliance efforts.
Can you explain this vulnerability to me?
CVE-2026-34054 is a high-severity vulnerability in OpenSSL builds on Windows distributed via the vcpkg package manager prior to version 3.6.1#3. The issue occurs because vcpkg sets the OpenSSL configuration directory, known as `openssldir`, to a path from the build machine rather than a neutral or default location.
This hardcoded path can be recreated by an attacker with low privileges on a different machine, allowing them to place malicious files such as DLLs in that directory. When OpenSSL runs under a higher-privileged user, it may load these malicious files, leading to an elevation of privilege.
The root cause is that the build process improperly redirects build outputs by changing `openssldir` instead of using the recommended `DESTDIR` method. This creates an uncontrolled search path element vulnerability (CWE-427), where OpenSSL looks for critical resources in a location that can be controlled by unauthorized actors.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the OpenSSL build on Windows via vcpkg sets the `openssldir` configuration to a path from the build machine rather than a safe default directory. Specifically, you want to verify whether OpenSSL is using a hardcoded, potentially world-writable directory path for its modules and engines.
One approach is to inspect the OpenSSL configuration or runtime behavior to see where it looks for its engines or DLLs. If the path points to a build machine directory or an unsafe location, the system is vulnerable.
While no explicit commands are provided in the resources, you can use commands to check the OpenSSL configuration directory path, for example:
- Run `openssl version -d` to display the default directory OpenSSL uses for its configuration and modules.
- Inspect the output path; if it points to a build machine path or an unusual directory rather than a standard location like under "Program Files", it indicates the vulnerable configuration.
- Additionally, you can check the installed OpenSSL binaries or package metadata to see if they were built with vcpkg versions prior to 3.6.1#3.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, the primary step is to upgrade the vcpkg OpenSSL package to version 3.6.1#3 or later, where the issue has been fixed.
This update removes the explicit setting of the `openssldir` directory during the build process on Windows, allowing OpenSSL to default to its standard, secure directory under "Program Files", which is protected by administrative permissions.
If upgrading is not immediately possible, consider verifying and restricting permissions on the directories OpenSSL uses to load modules and engines to prevent unauthorized users from placing malicious files.
Additionally, for applications relying on OpenSSL modules, use the new runtime APIs introduced (such as `MiscUtils_SetOpenSSLModulesPath` and `CryptoUtils::SetOpenSSLModulesPath`) to override the module search path safely, avoiding reliance on unsafe build-time directory settings.