Description
Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, several ProcessServer handlers (KillAllHandler, SuspendAllHandler, and RunSandboxedHandler) copy a WCHAR boxname[34] field from request structures into WCHAR[40] stack buffers using wcscpy without verifying null termination. Because the service pipe accepts variable-length packets larger than the request structure, an attacker can fill the boxname field with non-zero data and append additional controlled wide characters after the structure. wcscpy then reads past the fixed field and overflows the destination stack buffer. The service pipe is created with a NULL DACL, allowing any local process to connect, and the unsafe copy occurs before authorization checks. This can lead to a crash of the SbieSvc service or potential code execution as SYSTEM. This issue has been fixed in version 1.17.3.
Published: 2026-05-05
Score: 7.3 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Sandboxie-Plus v1.17.2 and earlier contain a stack buffer overflow in several ProcessServer handlers (KillAllHandler, SuspendAllHandler, RunSandboxedHandler) that use the wide‑character copy function wcscpy to copy a boxname field into a fixed stack buffer without verifying null termination. When the service pipe is supplied with a packet larger than the request structure, the attacker can supply arbitrary wide characters after the boxname field. The unbounded copy will read past the intended field into the stack buffer, corrupting control data and potentially allowing the attacker to execute arbitrary code with the privileges of the SbieSvc service. The existing NULL DACL on the service pipe permits any local process to connect before authorization checks, making the vulnerability exploitable locally without prior privilege.

Affected Systems

The affected product is Sandboxie‑Plus from the Sandboxie family. Versions 1.17.2 and earlier are impacted. The vulnerability has been addressed by upgrading to version 1.17.3 or later.

Risk and Exploitability

The CVSS score of 7.3 indicates a high severity risk. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a local attacker connecting to the sandbox service pipe, which is accessible to any user due to the NULL DACL. Because the unsafe copy occurs before authentication, an attacker can trigger a stack corruption that may lead to a crash or, if successfully exploited, gain SYSTEM level execution.

Generated by OpenCVE AI on May 5, 2026 at 21:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Sandboxie‑Plus product to version 1.17.3 or newer, which eliminates the unsafe wchar buffer copy.
  • Restart the SbieSvc service after applying the patch to clear any corrupted stack state and load the updated code
  • If upgrading is not immediately possible, limit access to the sandbox service pipe or disable the ProcessServer handlers until the patch can be applied, thereby preventing local exploitation

Generated by OpenCVE AI on May 5, 2026 at 21:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Sandboxie-plus
Sandboxie-plus sandboxie
Vendors & Products Sandboxie-plus
Sandboxie-plus sandboxie

Tue, 05 May 2026 20:00:00 +0000

Type Values Removed Values Added
Description Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, several ProcessServer handlers (KillAllHandler, SuspendAllHandler, and RunSandboxedHandler) copy a WCHAR boxname[34] field from request structures into WCHAR[40] stack buffers using wcscpy without verifying null termination. Because the service pipe accepts variable-length packets larger than the request structure, an attacker can fill the boxname field with non-zero data and append additional controlled wide characters after the structure. wcscpy then reads past the fixed field and overflows the destination stack buffer. The service pipe is created with a NULL DACL, allowing any local process to connect, and the unsafe copy occurs before authorization checks. This can lead to a crash of the SbieSvc service or potential code execution as SYSTEM. This issue has been fixed in version 1.17.3.
Title Sandboxie-Plus ProcessServer boxname stack buffer overflows via unterminated wide string copy
Weaknesses CWE-121
CWE-170
References
Metrics cvssV4_0

{'score': 7.3, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Sandboxie-plus Sandboxie
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-05T19:30:37.189Z

Reserved: 2026-03-27T18:18:14.896Z

Link: CVE-2026-34462

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-05T20:16:37.610

Modified: 2026-05-05T20:16:37.610

Link: CVE-2026-34462

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T22:00:11Z

Weaknesses