CVE-2026-34054

vcpkg is a free and open-source C/C++ package manager. Prior to version 3.6.1#3, vcpkg's Windows builds of OpenSSL set openssldir to a path on the build machine, making that path be attackable later on customer machines. This issue has been patched in version 3.6.1#3.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/microsoft/vcpkg/commit/5111afdf55cc1429d9951e4c7b02010e659346a9
https://github.com/microsoft/vcpkg/pull/50518
https://github.com/microsoft/vcpkg/security/advisories/GHSA-p322-v6vw-vrq9

Configurations

No configuration.

History

01 Apr 2026, 14:24

Type	Values Removed	Values Added
Summary		(es) vcpkg es un gestor de paquetes C/C++ gratuito y de código abierto. Antes de la versión 3.6.1#3, las compilaciones de OpenSSL para Windows de vcpkg configuraban openssldir a una ruta en la máquina de compilación, haciendo que esa ruta fuera atacable posteriormente en las máquinas de los clientes. Este problema ha sido parcheado en la versión 3.6.1#3.

31 Mar 2026, 03:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-31 03:15

Updated : 2026-04-01 14:24

NVD link : CVE-2026-34054

Mitre link : CVE-2026-34054

CVE.ORG link : CVE-2026-34054

JSON object : View

Products Affected

No product.

CWE

CWE-427

Uncontrolled Search Path Element

7.8 /10