Description
Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, NamedPipeServer::OpenHandler copies the server field from NAMED_PIPE_OPEN_REQ into a fixed WCHAR pipename[160] stack buffer using wcscat without verifying null termination. The handler only enforces a minimum packet size, and since the service pipe accepts variable-length messages, a sandboxed caller can fill the server[48] field with non-zero data and append additional controlled wide characters after the structure. wcscat then reads past the fixed field and overflows the stack buffer in the SYSTEM service. This message is restricted to sandboxed callers, making it a sandbox escape vector. This can lead to a crash of the SbieSvc service or potential code execution as SYSTEM. This issue has been fixed in version 1.17.3.
Published: 2026-05-05
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is a stack buffer overflow in Sandboxie-Plus 1.17.2 and earlier, where the NamedPipeServer::OpenHandler copies an unbounded server name into a fixed 160‑wide‑character buffer using wcscat without verifying null termination. An attacker running a sandboxed process can send a crafted request that overflows the buffer, causing the SbieSvc service to crash or, at a minimum, granting a sandbox escape that could be leveraged for code execution with SYSTEM privileges.

Affected Systems

Sandboxie-Plus 1.17.2 and all earlier releases are affected. The vulnerability is only present in the sandboxed service component of Sandboxie-Plus and does not impact the base Windows operating system.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog, though the potential for SYSTEM code execution makes it a serious threat. Exploitation requires the attacker to be able to run a process within the sandbox; once inside, the attacker can send the malformed NamedPipe request to trigger the overflow. The restricted attack surface reduces the likelihood of widespread exploitation, but the impact of a successful attack is catastrophic.

Generated by OpenCVE AI on May 5, 2026 at 21:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Sandboxie-Plus to version 1.17.3 or later, which applies a proper bounds check around the server field.
  • If an immediate update is not possible, consider disabling the NamedPipeServer feature or restricting sandboxed processes from accessing the IPC mechanism.
  • Monitor the SbieSvc logs and system stability for signs of crashes or abnormal activity, and apply additional host‑based intrusion detection rules to detect potential exploitation attempts.

Generated by OpenCVE AI on May 5, 2026 at 21:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Sandboxie-plus
Sandboxie-plus sandboxie
Vendors & Products Sandboxie-plus
Sandboxie-plus sandboxie

Tue, 05 May 2026 20:00:00 +0000

Type Values Removed Values Added
Description Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, NamedPipeServer::OpenHandler copies the server field from NAMED_PIPE_OPEN_REQ into a fixed WCHAR pipename[160] stack buffer using wcscat without verifying null termination. The handler only enforces a minimum packet size, and since the service pipe accepts variable-length messages, a sandboxed caller can fill the server[48] field with non-zero data and append additional controlled wide characters after the structure. wcscat then reads past the fixed field and overflows the stack buffer in the SYSTEM service. This message is restricted to sandboxed callers, making it a sandbox escape vector. This can lead to a crash of the SbieSvc service or potential code execution as SYSTEM. This issue has been fixed in version 1.17.3.
Title Sandboxie-Plus NamedPipeServer OpenHandler stack overflow via unterminated server field
Weaknesses CWE-121
CWE-170
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Sandboxie-plus Sandboxie
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-05T19:31:54.814Z

Reserved: 2026-03-27T18:18:14.896Z

Link: CVE-2026-34464

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-05T20:16:37.773

Modified: 2026-05-05T20:16:37.773

Link: CVE-2026-34464

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T22:00:11Z

Weaknesses