Primary

Context

vcpkg OpenSSL Uncontrolled Search Path Vulnerability on Windows

Vulnerability

Patched

A vulnerability exists in vcpkg's Windows builds of OpenSSL prior to version 3.6.1#3, where the 'openssldir' is set to a path on the build machine. This misconfiguration allows a low-privilege user to create a similar path on their machine, which could be exploited by a high-privilege user later on. The issue arises because OpenSSL searches the specified path for engines to load, potentially leading to unauthorized code execution or privilege escalation.

Impact

Exploitation of this vulnerability could allow a low-privilege user to hijack OpenSSL's search path, leading to unauthorized loading of code by a high-privilege user.

Remediation

Users can upgrade to OpenSSL version 3.6.1#3, which addresses this vulnerability by not setting 'openssldir' in a way that could be exploited.

Added: Mar 31, 2026, 3:25 AM

Updated: Mar 31, 2026, 3:25 AM

Vulnerability Rating

Custom Algorithm

spread

8.6

impact

7.5

exploitability

4.1

remediation

7.7

relevance

5.0

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

8.6

impact

7.5

exploitability

4.1

remediation

7.7

relevance

5.0

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

vcpkg OpenSSL Uncontrolled Search Path Vulnerability on Windows

Vulnerability

Impact

Remediation

Affected Products

OpenSSL

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating