Description
Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, the SbieIniServer RunSbieCtrl handler contains a stack buffer overflow. The MSGID_SBIE_INI_RUN_SBIE_CTRL message is handled before normal sandbox and impersonation checks, and for non-sandboxed callers, the handler copies the trailing message payload into a fixed-size WCHAR ctrlCmd[128] stack buffer using memcpy without verifying the length fits within the buffer. The service pipe is created with a NULL DACL, allowing any local interactive process to connect and send an oversized payload to overflow the stack. This can lead to a crash of the SbieSvc service or potential code execution as SYSTEM. This issue has been fixed in version 1.17.3.
Published: 2026-05-05
Score: 7.3 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stack buffer overflow (CWE‑121) in the RunSbieCtrl handler of the SbieIniServer component of sandboxie‑plus. The handler copies an arbitrary payload into a fixed‑size WCHAR buffer without length verification, allowing an overflow that can crash the SbieSvc service or, with crafted input, lead to code execution with SYSTEM privileges.

Affected Systems

Sandboxie‑Plus versions 1.17.2 and earlier are affected. This open‑source sandbox isolation tool for Windows runs a service pipe with a NULL DACL, enabling any local interactive process to connect to the pipe. Users of an affected version should upgrade to 1.17.3 or later to eliminate the flaw.

Risk and Exploitability

The flaw has a CVSS score of 7.3, indicating high severity. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting no known widespread exploitation yet. The likely attack vector is local: any interactive process can open the service pipe and send an oversized payload, triggering the buffer overflow. Successful exploitation could crash the service or allow execution of injected code with SYSTEM rights, resulting in local privilege escalation or denial of service.

Generated by OpenCVE AI on May 5, 2026 at 22:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade sandboxie‑plus to version 1.17.3 or newer, where the overflow bug has been fixed.
  • If an upgrade is delayed, restrict access to the SbieSvc pipe by applying a non‑null DACL or disabling the pipe for non‑trusted processes.
  • Monitor the SbieSvc process for abnormal termination or unexpected activity and investigate crashes that may indicate exploitation attempts.

Generated by OpenCVE AI on May 5, 2026 at 22:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Sandboxie-plus
Sandboxie-plus sandboxie
Vendors & Products Sandboxie-plus
Sandboxie-plus sandboxie

Tue, 05 May 2026 20:00:00 +0000

Type Values Removed Values Added
Description Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, the SbieIniServer RunSbieCtrl handler contains a stack buffer overflow. The MSGID_SBIE_INI_RUN_SBIE_CTRL message is handled before normal sandbox and impersonation checks, and for non-sandboxed callers, the handler copies the trailing message payload into a fixed-size WCHAR ctrlCmd[128] stack buffer using memcpy without verifying the length fits within the buffer. The service pipe is created with a NULL DACL, allowing any local interactive process to connect and send an oversized payload to overflow the stack. This can lead to a crash of the SbieSvc service or potential code execution as SYSTEM. This issue has been fixed in version 1.17.3.
Title Sandboxie-Plus SbieIniServer RunSbieCtrl stack buffer overflow allows local privilege escalation
Weaknesses CWE-121
References
Metrics cvssV4_0

{'score': 7.3, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Sandboxie-plus Sandboxie
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-05T19:28:44.675Z

Reserved: 2026-03-27T18:18:14.896Z

Link: CVE-2026-34461

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-05T20:16:37.460

Modified: 2026-05-05T20:16:37.460

Link: CVE-2026-34461

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T22:30:33Z

Weaknesses