top of page
perceptive_background_267k.jpg

vcpkg is a free and open-source C/C++ package manager. Prior to version 3.6.1#3, vcpkg's Windows builds of OpenSSL set openssldir to a path on the build machineā€¦

Published:

30 March 2026 at 22:00:00

Alert date:

31 March 2026 at 04:03:55

Source:

nvd.nist.gov

Click to open the original link from this advisory

Supply Chain & Dependencies, Operating Systems

vcpkg, a free and open-source C/C++ package manager, contained a vulnerability in versions prior to 3.6.1#3 where Windows builds of OpenSSL set openssldir to a path on the build machine. This configuration made that path attackable later on customer machines. The issue affects the security of OpenSSL installations distributed through vcpkg on Windows systems. Microsoft has patched this vulnerability in version 3.6.1#3. The vulnerability represents a supply chain security issue where build-time configurations create security risks on end-user systems.

Technical details

Mitigation steps:

Affected products:

vcpkg
OpenSSL

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-34054
https://github.com/microsoft/vcpkg/commit/5111afdf55cc1429d9951e4c7b02010e659346a9
https://github.com/microsoft/vcpkg/pull/50518
https://github.com/microsoft/vcpkg/security/advisories/GHSA-p322-v6vw-vrq9

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page