Nixpkgs security tracker
Permalink
CVE-2026-34054
7.8 HIGH
- CVSS version: 3.1
- Attack vector (AV): LOCAL
- Attack complexity (AC): LOW
- Privileges required (PR): LOW
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): HIGH
- Integrity impact (I): HIGH
- Availability impact (A): HIGH
openssl on Windows built with openssldir set from the build machine (Uncontrolled Search Path Element)
vcpkg is a free and open-source C/C++ package manager. Prior to version 3.6.1#3, vcpkg's Windows builds of OpenSSL set openssldir to a path on the build machine, making that path be attackable later on customer machines. This issue has been patched in version 3.6.1#3.
References
-
https://github.com/microsoft/vcpkg/security/advisories/GHSA-p322-v6vw-vrq9 x_refsource_CONFIRM
-
https://github.com/microsoft/vcpkg/pull/50518 x_refsource_MISC
Affected products
vcpkg
- ==< 3.6.1#3
Matching in nixpkgs
pkgs.vcpkg
C++ Library Manager for Windows, Linux, and macOS
-
nixos-unstable 2026.01.16
- nixpkgs-unstable 2026.01.16
- nixos-unstable-small 2026.01.16
-
nixos-25.11 2025.10.17
- nixos-25.11-small 2025.10.17
- nixpkgs-25.11-darwin 2025.10.17
pkgs.vcpkg-tool
Components of microsoft/vcpkg's binary
-
nixos-unstable 2025-12-16
- nixpkgs-unstable 2025-12-16
- nixos-unstable-small 2025-12-16
-
nixos-25.11 2025-10-16
- nixos-25.11-small 2025-10-16
- nixpkgs-25.11-darwin 2025-10-16
pkgs.vcpkg-tool-unwrapped
Components of microsoft/vcpkg's binary
-
nixos-unstable 2025-12-16
- nixpkgs-unstable 2025-12-16
- nixos-unstable-small 2025-12-16
-
nixos-25.11 2025-10-16
- nixos-25.11-small 2025-10-16
- nixpkgs-25.11-darwin 2025-10-16
Package maintainers
-
@h7x4 h7x4 <h7x4@nani.wtf>
-
@gracicot Guillaume Racicot <dev@gracicot.com>
-
@Guekka Guekka