CVE-2026-34054

Source
https://cve.org/CVERecord?id=CVE-2026-34054
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-34054.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-34054
Aliases
  • GHSA-p322-v6vw-vrq9
Published
2026-03-31T01:56:14.585Z
Modified
2026-07-08T08:12:50.893561456Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
openssl on Windows built with openssldir set from the build machine (Uncontrolled Search Path Element)
Details

vcpkg is a free and open-source C/C++ package manager. Prior to version 3.6.1#3, vcpkg's Windows builds of OpenSSL set openssldir to a path on the build machine, making that path be attackable later on customer machines. This issue has been patched in version 3.6.1#3.

Database specific
{
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "< 3.6.1#3"
                },
                {
                    "last_affected": "< 3.6.1#3"
                }
            ]
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34054.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-427"
    ]
}
References

Affected packages

Git / github.com/microsoft/vcpkg

Affected ranges

Type
GIT
Repo
https://github.com/microsoft/vcpkg
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": "REFERENCES"
}

Affected versions

2019.*
2019.06
2019.07
2019.08
2019.09
2019.10
2019.11
2019.12
2020.*
2020.01
2020.04
2020.06
2020.07
2020.11
2020.11-1
2021.*
2021.04.30
2021.05.12
2021.06.31
2021.07.31
2021.08.31
2021.09.30
2021.10.31
2021.11.30
2021.12.01
2021.12.31
2022.*
2022.01.01
2022.01.31
2022.02.02
2022.02.23
2022.03.10
2022.04.12
2022.05.10
2022.06.15
2022.07.25
2022.08.15
2022.09.27
2022.10.19
2022.11.14
2023.*
2023.01.09
2023.02.24
2023.04.15
2023.06.20
2023.07.21
2023.08.09
2023.10.19
2023.11.20
2023.12.12
2024.*
2024.01.12
2024.02.14
2024.03.19
2024.03.25
2024.04.26
2024.05.24
2024.06.15
2024.07.12
2024.08.23
2024.09.23
2024.09.30
2024.10.21
2024.11.16
2024.12.16
2025.*
2025.01.13
2025.02.14
2025.03.19
2025.04.09
2025.06.13
2025.07.25
2025.08.27
2025.09.17
2025.10.17
2025.12.12
2026.*
2026.01.16
2026.02.27

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-34054.json"