CVE-2026-34054 is a vulnerability classified under CWE-427 (Uncontrolled Search Path Element) affecting Microsoft’s vcpkg package manager for C/C++. Specifically, in versions prior to 3.6.1#3, the Windows builds of OpenSSL distributed via vcpkg set the openssldir configuration to a path that points to a directory on the build machine rather than a secure, runtime-appropriate location. This misconfiguration means that when OpenSSL is used on customer machines, it may reference or load files from an attacker-controllable or otherwise unsafe directory path. An attacker with local access and limited privileges could exploit this by placing malicious libraries or executables in the referenced path, causing the system to load these malicious components instead of legitimate ones. This can lead to arbitrary code execution, privilege escalation, or compromise of cryptographic operations, impacting confidentiality, integrity, and availability. The vulnerability does not require user interaction but does require local privileges, and the attack surface is limited to Windows systems using vulnerable versions of vcpkg. Microsoft patched this issue in vcpkg version 3.6.1#3 by correcting the openssldir path to a safe location. No known exploits have been reported in the wild as of the publication date.

The vulnerability allows an attacker with local access to influence the search path used by OpenSSL libraries bundled with vcpkg on Windows, potentially leading to execution of malicious code with the privileges of the affected process. This can compromise the confidentiality of sensitive data handled by OpenSSL, integrity of cryptographic operations, and availability of applications relying on these libraries. Organizations using vulnerable versions of vcpkg in development or production environments risk supply chain compromise, especially if OpenSSL is used in security-critical applications. The attack requires local access, which limits remote exploitation but does not eliminate risk in environments where multiple users share systems or where attackers can gain initial footholds with limited privileges. The high CVSS score reflects the broad impact on core security properties and the relative ease of exploitation once local access is obtained.

The primary mitigation is to upgrade all affected vcpkg installations to version 3.6.1#3 or later, where the openssldir path is correctly set to a secure location. Organizations should audit their build and deployment pipelines to identify usage of vulnerable vcpkg versions and ensure timely patching. Additionally, restrict local user privileges to prevent unauthorized users from placing malicious files in directories referenced by OpenSSL. Implement application whitelisting and integrity verification for critical libraries to detect unauthorized modifications. For environments where upgrading is delayed, consider manually verifying and correcting the openssldir configuration in OpenSSL builds. Regularly monitor systems for suspicious activity indicative of exploitation attempts. Finally, enforce strict access controls and segmentation to limit local access to trusted users only.