CVE-2026-34054
Published: 31 March 2026
Summary
CVE-2026-34054 is a high-severity Uncontrolled Search Path Element (CWE-427) vulnerability. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 20.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-34054 is a vulnerability in vcpkg, a free and open-source C/C++ package manager, affecting Windows builds of OpenSSL in versions prior to 3.6.1#3. The issue stems from vcpkg configuring the OpenSSL openssldir to a path originating from the build machine, which remains embedded in the binaries distributed to customers. This creates an untrusted search path (CWE-427) that can be exploited on end-user systems. The vulnerability received a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-03-31.
A local attacker with low privileges on a customer Windows machine can exploit this by targeting the build machine-derived openssldir path, which may be writable or controllable in the user's environment. Successful exploitation allows high-impact compromise of confidentiality, integrity, and availability, potentially enabling arbitrary code execution, data theft, or system disruption through malicious files or configurations loaded by OpenSSL.
Microsoft's vcpkg security advisory (GHSA-p322-v6vw-vrq9) and related GitHub pull request #50518 confirm the issue was patched in vcpkg version 3.6.1#3 via commit 5111afdf55cc1429d9951e4c7b02010e659346a9, which corrects the openssldir configuration to prevent reliance on build-time paths. Security practitioners should update to 3.6.1#3 or later and review OpenSSL configurations in vcpkg-built applications on Windows.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-17285
Vulnerability details
vcpkg is a free and open-source C/C++ package manager. Prior to version 3.6.1#3, vcpkg's Windows builds of OpenSSL set openssldir to a path on the build machine, making that path be attackable later on customer machines. This issue has been…
more
patched in version 3.6.1#3.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Untrusted search path (CWE-427) from build-time openssldir enables path interception for arbitrary code execution on Windows, directly facilitating T1574.008 and T1068 for local privilege escalation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 requires timely identification, reporting, and correction of flaws, directly mitigating CVE-2026-34054 by patching vcpkg to version 3.6.1#3 to fix the insecure build-time openssldir path in OpenSSL binaries.
SI-5 mandates obtaining, assessing, and acting on security alerts and advisories like GHSA-p322-v6vw-vrq9 and Microsoft's vcpkg advisory for this CVE, ensuring timely updates.
RA-5 enables vulnerability scanning and monitoring to identify Windows systems with vulnerable vcpkg-built OpenSSL installations affected by the untrusted search path issue.