CVE-2026-34054
Published: 31 March 2026
Summary
CVE-2026-34054 is a high-severity Uncontrolled Search Path Element (CWE-427) vulnerability. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 17.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely identification, reporting, and correction of flaws, directly mitigating CVE-2026-34054 by patching vcpkg to version 3.6.1#3 to fix the insecure build-time openssldir path in OpenSSL binaries.
SI-5 mandates obtaining, assessing, and acting on security alerts and advisories like GHSA-p322-v6vw-vrq9 and Microsoft's vcpkg advisory for this CVE, ensuring timely updates.
RA-5 enables vulnerability scanning and monitoring to identify Windows systems with vulnerable vcpkg-built OpenSSL installations affected by the untrusted search path issue.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Untrusted search path (CWE-427) from build-time openssldir enables path interception for arbitrary code execution on Windows, directly facilitating T1574.008 and T1068 for local privilege escalation.
NVD Description
vcpkg is a free and open-source C/C++ package manager. Prior to version 3.6.1#3, vcpkg's Windows builds of OpenSSL set openssldir to a path on the build machine, making that path be attackable later on customer machines. This issue has been…
more
patched in version 3.6.1#3.
Deeper analysisAI
CVE-2026-34054 is a vulnerability in vcpkg, a free and open-source C/C++ package manager, affecting Windows builds of OpenSSL in versions prior to 3.6.1#3. The issue stems from vcpkg configuring the OpenSSL openssldir to a path originating from the build machine, which remains embedded in the binaries distributed to customers. This creates an untrusted search path (CWE-427) that can be exploited on end-user systems. The vulnerability received a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-03-31.
A local attacker with low privileges on a customer Windows machine can exploit this by targeting the build machine-derived openssldir path, which may be writable or controllable in the user's environment. Successful exploitation allows high-impact compromise of confidentiality, integrity, and availability, potentially enabling arbitrary code execution, data theft, or system disruption through malicious files or configurations loaded by OpenSSL.
Microsoft's vcpkg security advisory (GHSA-p322-v6vw-vrq9) and related GitHub pull request #50518 confirm the issue was patched in vcpkg version 3.6.1#3 via commit 5111afdf55cc1429d9951e4c7b02010e659346a9, which corrects the openssldir configuration to prevent reliance on build-time paths. Security practitioners should update to 3.6.1#3 or later and review OpenSSL configurations in vcpkg-built applications on Windows.
Details
- CWE(s)