{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34054", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-25T15:29:04.746Z", "datePublished": "2026-03-31T01:56:14.585Z", "dateUpdated": "2026-04-02T03:55:58.861Z"}, "containers": {"cna": {"title": "openssl on Windows built with openssldir set from the build machine (Uncontrolled Search Path Element)", "problemTypes": [{"descriptions": [{"cweId": "CWE-427", "lang": "en", "description": "CWE-427: Uncontrolled Search Path Element", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/microsoft/vcpkg/security/advisories/GHSA-p322-v6vw-vrq9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/microsoft/vcpkg/security/advisories/GHSA-p322-v6vw-vrq9"}, {"name": "https://github.com/microsoft/vcpkg/pull/50518", "tags": ["x_refsource_MISC"], "url": "https://github.com/microsoft/vcpkg/pull/50518"}, {"name": "https://github.com/microsoft/vcpkg/commit/5111afdf55cc1429d9951e4c7b02010e659346a9", "tags": ["x_refsource_MISC"], "url": "https://github.com/microsoft/vcpkg/commit/5111afdf55cc1429d9951e4c7b02010e659346a9"}], "affected": [{"vendor": "microsoft", "product": "vcpkg", "versions": [{"version": "< 3.6.1#3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T01:56:14.585Z"}, "descriptions": [{"lang": "en", "value": "vcpkg is a free and open-source C/C++ package manager. Prior to version 3.6.1#3, vcpkg's Windows builds of OpenSSL set openssldir to a path on the build machine, making that path be attackable later on customer machines. This issue has been patched in version 3.6.1#3."}], "source": {"advisory": "GHSA-p322-v6vw-vrq9", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-34054"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T03:55:58.861Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34054", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-31T15:35:33.233027Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T15:35:39.288Z"}}], "cna": {"title": "openssl on Windows built with openssldir set from the build machine (Uncontrolled Search Path Element)", "source": {"advisory": "GHSA-p322-v6vw-vrq9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "microsoft", "product": "vcpkg", "versions": [{"status": "affected", "version": "< 3.6.1#3"}]}], "references": [{"url": "https://github.com/microsoft/vcpkg/security/advisories/GHSA-p322-v6vw-vrq9", "name": "https://github.com/microsoft/vcpkg/security/advisories/GHSA-p322-v6vw-vrq9", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/microsoft/vcpkg/pull/50518", "name": "https://github.com/microsoft/vcpkg/pull/50518", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/microsoft/vcpkg/commit/5111afdf55cc1429d9951e4c7b02010e659346a9", "name": "https://github.com/microsoft/vcpkg/commit/5111afdf55cc1429d9951e4c7b02010e659346a9", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "vcpkg is a free and open-source C/C++ package manager. Prior to version 3.6.1#3, vcpkg's Windows builds of OpenSSL set openssldir to a path on the build machine, making that path be attackable later on customer machines. This issue has been patched in version 3.6.1#3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-427", "description": "CWE-427: Uncontrolled Search Path Element"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T01:56:14.585Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34054", "state": "PUBLISHED", "dateUpdated": "2026-04-02T03:55:58.861Z", "dateReserved": "2026-03-25T15:29:04.746Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-31T01:56:14.585Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "vcpkg is a free and open-source C/C++ package manager. Prior to version 3.6.1#3, vcpkg's Windows builds of OpenSSL set openssldir to a path on the build machine, making that path be attackable later on customer machines. This issue has been patched in version 3.6.1#3."}, {"lang": "es", "value": "vcpkg es un gestor de paquetes C/C++ gratuito y de c\u00f3digo abierto. Antes de la versi\u00f3n 3.6.1#3, las compilaciones de OpenSSL para Windows de vcpkg configuraban openssldir a una ruta en la m\u00e1quina de compilaci\u00f3n, haciendo que esa ruta fuera atacable posteriormente en las m\u00e1quinas de los clientes. Este problema ha sido parcheado en la versi\u00f3n 3.6.1#3."}], "id": "CVE-2026-34054", "lastModified": "2026-04-01T14:24:02.583", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-31T03:15:58.593", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/microsoft/vcpkg/commit/5111afdf55cc1429d9951e4c7b02010e659346a9"}, {"source": "security-advisories@github.com", "url": "https://github.com/microsoft/vcpkg/pull/50518"}, {"source": "security-advisories@github.com", "url": "https://github.com/microsoft/vcpkg/security/advisories/GHSA-p322-v6vw-vrq9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-427"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,3.6.1#3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "vcpkg", "vendor": "microsoft"}], "analysis": {"en": {"generated_at": "2026-03-31T05:22:57.528687+00:00", "value": {"mitigation_remediation": ["Upgrade vcpkg to version\u202f3.6.1#3 or later to receive the fixed OpenSSL build.", "If an upgrade is not immediately possible, remove or block the exposed build\u2011time directory from the system\u2019s search path and validate that the openssldir setting points to a secure, non\u2011shared location.", "Verify that no untrusted or mutable directories remain in OpenSSL\u2019s configuration path.", "Regularly monitor Microsoft vcpkg security advisories for updates or additional mitigation steps."], "summary": {"action": "Immediate Patch", "impact": "Local code execution via modified configuration"}, "threat_synthesis": {"affected_systems": "Microsoft vcpkg for Windows platforms, specifically the OpenSSL packages prior to version\u202f3.6.1#3. The curated patch in 3.6.1#3 removes the unsafe build\u2011time path setting; any systems using earlier vcpkg releases are susceptible.", "description_and_impact": "The vulnerability arises in Microsoft vcpkg\u2019s Windows builds of OpenSSL, where the openssldir setting is hard\u2011coded to a path on the build machine. This creates an uncontrolled search path element (CWE\u2011427) that allows an attacker to place malicious files\u2014such as a disallowed configuration or override libraries\u2014in that directory. If such files are loaded, an attacker could modify OpenSSL behaviour or execute arbitrary code on the affected system.", "risk_and_exploitability": "The CVSS base score is 7.8, indicating a high severity of potential impact. Exploitation likelihood is not quantified by EPSS and the vulnerability is not listed in the CISA KEV catalog, suggesting it is not yet known to be actively exploited. The attack vector is inferred to be local or supply\u2011chain, requiring the attacker to supply or modify a build machine, or to insert malicious files into the specified directory after installation. Once the vulnerable path is used, the attacker can achieve code execution or unauthorized configuration of OpenSSL, compromising confidentiality, integrity, or availability of the affected system."}}}}, "created": "2026-03-31T19:56:24.945252+00:00", "updated": "2026-04-03T09:10:34.810612+00:00", "vendors": ["microsoft", "microsoft$PRODUCT$vcpkg"]}