CVE-2026-34054
Received Received - Intake
Path Disclosure in vcpkg OpenSSL Windows Builds Pre

Publication date: 2026-03-31

Last updated on: 2026-03-31

Assigner: GitHub, Inc.

Description
vcpkg is a free and open-source C/C++ package manager. Prior to version 3.6.1#3, vcpkg's Windows builds of OpenSSL set openssldir to a path on the build machine, making that path be attackable later on customer machines. This issue has been patched in version 3.6.1#3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-31
Last Modified
2026-03-31
Generated
2026-06-16
AI Q&A
2026-03-31
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34054
EUVD
EUVD-2026-17285
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
microsoft vcpkg to 3.6.1#3 (exc)
openssl openssl to 3.6.1#3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-427 The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can lead to an elevation of privilege on affected systems. Specifically, an attacker with low privileges can create a directory structure matching the hardcoded `openssldir` path and place malicious modules or DLLs there.

When OpenSSL runs under a higher-privileged user, it may load these malicious files, allowing the attacker to execute code with elevated privileges. This compromises confidentiality, integrity, and availability of the system, as indicated by the CVSS score metrics.

Compliance Impact

The vulnerability in CVE-2026-34054 allows an attacker with low privileges to place malicious files in a directory path that OpenSSL will later load with higher privileges, leading to elevation of privilege. This can result in unauthorized access, modification, or disruption of sensitive data and system integrity.

Such unauthorized access and potential data compromise could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and maintaining system integrity and confidentiality.

By allowing privilege escalation through uncontrolled search path elements, this vulnerability increases the risk of data breaches and unauthorized system changes, which are critical concerns under these regulations.

The patch and mitigation efforts, which remove the unsafe setting of the openssldir path and rely on secure default directories requiring administrative privileges, help reduce this risk and support compliance efforts.

Executive Summary

CVE-2026-34054 is a high-severity vulnerability in OpenSSL builds on Windows distributed via the vcpkg package manager prior to version 3.6.1#3. The issue occurs because vcpkg sets the OpenSSL configuration directory, known as `openssldir`, to a path from the build machine rather than a neutral or default location.

This hardcoded path can be recreated by an attacker with low privileges on a different machine, allowing them to place malicious files such as DLLs in that directory. When OpenSSL runs under a higher-privileged user, it may load these malicious files, leading to an elevation of privilege.

The root cause is that the build process improperly redirects build outputs by changing `openssldir` instead of using the recommended `DESTDIR` method. This creates an uncontrolled search path element vulnerability (CWE-427), where OpenSSL looks for critical resources in a location that can be controlled by unauthorized actors.

Detection Guidance

This vulnerability can be detected by checking if the OpenSSL build on Windows via vcpkg sets the `openssldir` configuration to a path from the build machine rather than a safe default directory. Specifically, you want to verify whether OpenSSL is using a hardcoded, potentially world-writable directory path for its modules and engines.

One approach is to inspect the OpenSSL configuration or runtime behavior to see where it looks for its engines or DLLs. If the path points to a build machine directory or an unsafe location, the system is vulnerable.

While no explicit commands are provided in the resources, you can use commands to check the OpenSSL configuration directory path, for example:

  • Run `openssl version -d` to display the default directory OpenSSL uses for its configuration and modules.
  • Inspect the output path; if it points to a build machine path or an unusual directory rather than a standard location like under "Program Files", it indicates the vulnerable configuration.
  • Additionally, you can check the installed OpenSSL binaries or package metadata to see if they were built with vcpkg versions prior to 3.6.1#3.
Mitigation Strategies

To mitigate this vulnerability, the primary step is to upgrade the vcpkg OpenSSL package to version 3.6.1#3 or later, where the issue has been fixed.

This update removes the explicit setting of the `openssldir` directory during the build process on Windows, allowing OpenSSL to default to its standard, secure directory under "Program Files", which is protected by administrative permissions.

If upgrading is not immediately possible, consider verifying and restricting permissions on the directories OpenSSL uses to load modules and engines to prevent unauthorized users from placing malicious files.

Additionally, for applications relying on OpenSSL modules, use the new runtime APIs introduced (such as `MiscUtils_SetOpenSSLModulesPath` and `CryptoUtils::SetOpenSSLModulesPath`) to override the module search path safely, avoiding reliance on unsafe build-time directory settings.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34054. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart