Uncontrolled Search Path Element in Microsoft vcpkg OpenSSL Enables Local Privilege Escalation (CVE‑2026‑34054)
What It Is – A local privilege‑escalation flaw in the Microsoft vcpkg port of OpenSSL allows an attacker who already has low‑privileged code execution to load a malicious configuration file from an insecure location, resulting in arbitrary code execution as a higher‑privilege process.
Exploitability – The vulnerability is locally exploitable; no public exploit code exists, but the attack requires only the ability to run low‑privileged code. CVSS 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Affected Products – Microsoft vcpkg (the C/C++ package manager) when used to build applications that depend on the bundled OpenSSL library.
TPRM Impact – Organizations that rely on third‑party software built with vcpkg‑managed OpenSSL inherit the privilege‑escalation risk, potentially compromising build servers, CI/CD pipelines, and downstream products shipped to customers.
Recommended Actions –
- Deploy Microsoft’s vcpkg update that patches CVE‑2026‑34054 immediately.
- Review and harden build environments: restrict write access to OpenSSL configuration directories and enforce signed package verification.
- Conduct an inventory of internal projects that use vcpkg‑OpenSSL and validate that they run the patched version.
- Monitor for anomalous process launches or privilege‑escalation alerts on development and production hosts.