Microsoft vcpkg OpenSSL Port Vulnerability CVE-2026-34054 Allows Local Privilege Escalation
A high-severity vulnerability in Microsoft's vcpkg port of OpenSSL allows local attackers to escalate privileges and execute arbitrary code, with a patch now available via GitHub.
Microsoft has addressed a local privilege escalation vulnerability in its vcpkg port of OpenSSL, tracked as CVE-2026-34054. The flaw, disclosed by the Zero Day Initiative on April 15, 2026, carries a CVSS score of 7.8 and affects applications built using the affected vcpkg OpenSSL package. An attacker must first obtain the ability to execute low-privileged code on the target system to exploit this vulnerability.
The specific weakness lies in an uncontrolled search path element within the OpenSSL configuration. The product loads configuration from an unsecured location, allowing an attacker to which a low-privileged attacker can write malicious data. By placing a crafted configuration file in that location, the attacker can cause a higher-privileged process to load and execute arbitrary code, effectively escalating privileges to the level of the target process. This could lead to full system compromise, including data theft, installation of malware, or persistent backdoor access.
The vulnerability was reported to Microsoft by researcher Xavier DANEST on March 10, 2026. Microsoft has issued an update to correct the issue, detailed in a GitHub security advisory at https://github.com/microsoft/vcpkg/security/advisories/GHSA-p322-v6vw-vrq9. Users and developers who rely on the vcpkg port of OpenSSL are urged to update their packages immediately to mitigate the risk.
vcpkg is a cross-platform package manager for C and C++ libraries, widely used in development environments to simplify dependency management. The OpenSSL port is a common component that provides cryptographic functionality to applications built with vcpkg. Because the vulnerability is local, it primarily affects multi-user systems or environments where untrusted users have access to low-privileged accounts, such as shared development servers, enterprise workstations, or cloud-based development instances.
This disclosure highlights the ongoing challenge of securing software supply chains, particularly in package management systems where configuration files and dependencies can be manipulated. While the vulnerability requires local access, its high impact and the widespread use of OpenSSL make patching critical. Organizations should prioritize updating their vcpkg installations and review their development environments for any signs of exploitation.
The coordinated disclosure process between the researcher, Microsoft, and ZDI ensured that a patch was available before public details were released. This case underscores the importance of responsible disclosure in mitigating risks before attackers can weaponize the information.