CVE-2026-34054
HIGHopenssl on Windows built with openssldir set from the build machine (Uncontrolled Search Path Element)
Title source: cnaDescription
vcpkg is a free and open-source C/C++ package manager. Prior to version 3.6.1#3, vcpkg's Windows builds of OpenSSL set openssldir to a path on the build machine, making that path be attackable later on customer machines. This issue has been patched in version 3.6.1#3.
References (3)
Core 3
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/microsoft/vcpkg/security/advisories/GHSA-p322-v6vw-vrq9
X_Refsource_Misc x_refsource_misc
https://github.com/microsoft/vcpkg/pull/50518
X_Refsource_Misc x_refsource_misc
https://github.com/microsoft/vcpkg/commit/5111afdf55cc1429d9951e4c7b02010e659346a9
Scores
CVSS v3
7.8
EPSS
0.0072
EPSS Percentile
48.7%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-427
Status
published
Products (1)
microsoft/vcpkg
< 3.6.1#3
Published
Mar 31, 2026
Tracked Since
Mar 31, 2026