CVE-2026-34054 Overview
CVE-2026-34054 is a path hijacking vulnerability in vcpkg, Microsoft's free and open-source C/C++ package manager. Prior to version 3.6.1#3, vcpkg's Windows builds of OpenSSL set the openssldir configuration to a path on the build machine. This misconfiguration allows attackers to exploit the hardcoded path on customer machines, potentially leading to privilege escalation and arbitrary code execution.
Critical Impact
Attackers with local access can exploit the misconfigured OpenSSL directory path to execute malicious code, potentially compromising sensitive cryptographic operations and gaining elevated privileges on affected Windows systems.
Affected Products
- vcpkg versions prior to 3.6.1#3
- Windows builds of OpenSSL distributed via vcpkg
- Applications compiled using vulnerable vcpkg OpenSSL packages
Discovery Timeline
- 2026-03-31 - CVE-2026-34054 published to NVD
- 2026-04-01 - Last updated in NVD database
Technical Details for CVE-2026-34054
Vulnerability Analysis
This vulnerability falls under CWE-427 (Uncontrolled Search Path Element), which describes situations where an application searches for resources in untrusted locations. When vcpkg builds OpenSSL on Windows, it configures openssldir to a hardcoded path that existed on the build machine but may be accessible or hijackable on end-user systems.
OpenSSL uses openssldir to locate configuration files, certificate stores, and other critical resources. When this path is set to a build-time directory that doesn't exist or can be created by unprivileged users on target systems, attackers can plant malicious configuration files or certificates in that location.
Root Cause
The root cause is improper configuration during the vcpkg OpenSSL build process for Windows. The build system embedded absolute paths from the build environment into the compiled OpenSSL binaries, rather than using relative paths or appropriate Windows system directories. This architectural flaw means every system using the vulnerable OpenSSL build inherits a potentially exploitable path configuration.
Attack Vector
The attack requires local access to the target system. An attacker can exploit this vulnerability by:
- Identifying the hardcoded openssldir path in the vulnerable OpenSSL build
- Creating the expected directory structure if it doesn't exist (often in locations writable by standard users)
- Placing malicious OpenSSL configuration files or certificates in the hijacked directory
- Waiting for applications using the vulnerable OpenSSL to load the malicious resources
This vulnerability enables an attacker to intercept TLS connections, inject malicious certificates, or execute arbitrary code through OpenSSL configuration engine directives. The attack is particularly effective in environments where multiple applications share the same vulnerable OpenSSL build from vcpkg.
Detection Methods for CVE-2026-34054
Indicators of Compromise
- Unexpected directories created in locations matching build machine paths (often containing usernames or build system identifiers)
- Modified or unauthorized OpenSSL configuration files in non-standard locations
- Applications loading OpenSSL resources from untrusted directories
- Certificate validation failures or unexpected certificate warnings in applications using vcpkg-built OpenSSL
Detection Strategies
- Monitor file system activity for creation of directories matching common build paths (e.g., paths containing vcpkg, buildtrees, or CI/CD build agent paths)
- Audit OpenSSL configuration lookups using process monitoring tools to identify access to suspicious paths
- Use SentinelOne's Deep Visibility to track file system modifications in non-standard configuration directories
- Implement application whitelisting to detect when OpenSSL loads configuration from unexpected locations
Monitoring Recommendations
- Enable file integrity monitoring on directories commonly targeted by path hijacking attacks
- Configure alerts for new directory creation in system root locations by non-administrative users
- Monitor process creation events for applications linking to vulnerable vcpkg OpenSSL versions
- Review build artifacts and dependencies for hardcoded paths before deployment to production
How to Mitigate CVE-2026-34054
Immediate Actions Required
- Upgrade vcpkg and rebuild OpenSSL dependencies using version 3.6.1#3 or later
- Audit existing deployments to identify systems running applications built with vulnerable vcpkg OpenSSL packages
- Review file system permissions on potential hijack directories and restrict write access where possible
- Consider using system-provided OpenSSL packages on Windows Server environments as an interim measure
Patch Information
Microsoft has addressed this vulnerability in vcpkg version 3.6.1#3. The fix ensures that openssldir is set to an appropriate, secure path rather than the build machine's directory structure. Organizations should update their vcpkg installation and rebuild any OpenSSL-dependent packages.
For detailed patch information, refer to:
Workarounds
- Set the OPENSSL_CONF environment variable to point to a secure, administrator-controlled configuration file location
- Use Windows file system ACLs to prevent creation of the vulnerable directory paths by non-administrative users
- Deploy application-level controls to override OpenSSL's default configuration path lookup
- Consider containerization or sandboxing for applications using vulnerable OpenSSL builds to limit the impact of path hijacking
# Example: Set secure OpenSSL configuration path via environment variable
# Add to system environment variables or application startup scripts
set OPENSSL_CONF=C:\ProgramData\OpenSSL\openssl.cnf
# Alternatively, use PowerShell to set system-wide
[Environment]::SetEnvironmentVariable("OPENSSL_CONF", "C:\ProgramData\OpenSSL\openssl.cnf", "Machine")
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
