EUVD-2026-17285CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description
vcpkg is a free and open-source C/C++ package manager. Prior to version 3.6.1#3, vcpkg's Windows builds of OpenSSL set openssldir to a path on the build machine, making that path be attackable later on customer machines. This issue has been patched in version 3.6.1#3.
Analysis
Local privilege escalation via hardcoded build path in vcpkg's OpenSSL binaries affects Windows users of the C/C++ package manager prior to version 3.6.1#3. The vulnerability allows authenticated local attackers with low privileges to achieve high confidentiality, integrity, and availability impact (CVSS 7.8) by exploiting the hardcoded openssldir path that references the original build machine. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all systems running vcpkg versions prior to 3.6.1#3 using inventory scans and developer surveys. Within 7 days: Upgrade vcpkg to version 3.6.1#3 or later across all development environments; regenerate any private keys or credentials that may have been accessible via hardcoded paths. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today