{"id":"CVE-2026-34054","summary":"openssl on Windows built with openssldir set from the build machine (Uncontrolled Search Path Element)","details":"vcpkg is a free and open-source C/C++ package manager. Prior to version 3.6.1#3, vcpkg's Windows builds of OpenSSL set openssldir to a path on the build machine, making that path be attackable later on customer machines. This issue has been patched in version 3.6.1#3.","aliases":["GHSA-p322-v6vw-vrq9"],"modified":"2026-07-08T08:12:50.893561456Z","published":"2026-03-31T01:56:14.585Z","database_specific":{"unresolved_ranges":[{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"\u003c 3.6.1#3"},{"last_affected":"\u003c 3.6.1#3"}]}],"cwe_ids":["CWE-427"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34054.json","cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34054.json"},{"type":"ADVISORY","url":"https://github.com/microsoft/vcpkg/security/advisories/GHSA-p322-v6vw-vrq9"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34054"},{"type":"FIX","url":"https://github.com/microsoft/vcpkg/commit/5111afdf55cc1429d9951e4c7b02010e659346a9"},{"type":"FIX","url":"https://github.com/microsoft/vcpkg/pull/50518"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/microsoft/vcpkg","events":[{"introduced":"0"},{"fixed":"5111afdf55cc1429d9951e4c7b02010e659346a9"}],"database_specific":{"source":"REFERENCES"}}],"versions":["2026.02.27","2026.01.16","2025.12.12","2025.10.17","2025.09.17","2025.08.27","2025.07.25","2025.06.13","2025.04.09","2025.03.19","2025.02.14","2025.01.13","2024.12.16","2024.11.16","2024.10.21","2024.09.30","2024.09.23","2024.08.23","2024.07.12","2024.06.15","2024.05.24","2024.04.26","2024.03.25","2024.03.19","2024.02.14","2024.01.12","2023.12.12","2023.11.20","2023.10.19","2023.08.09","2023.07.21","2023.06.20","2023.04.15","2023.02.24","2023.01.09","2022.11.14","2022.10.19","2022.09.27","2022.08.15","2022.07.25","2022.06.15","2022.05.10","2022.04.12","2022.03.10","2022.02.23","2022.01.31","2021.12.31","2021.11.30","2021.10.31","2021.09.30","2021.08.31","2021.07.31","2021.06.31","2022.02.02","2022.01.01","2021.12.01","2021.05.12","2021.04.30","2020.11-1","2020.11","2020.07","2020.06","2020.04","2020.01","2019.12","2019.11","2019.10","2019.09","2019.08","2019.07","2019.06"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-34054.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}