Description
Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, SbieIniServer::HashPassword converts a SHA-1 digest to hexadecimal incorrectly. The high nibble of each byte is shifted right by 8 instead of 4, which always produces zero for an 8-bit value. As a result, the stored EditPassword hash only preserves the low nibble of each digest byte, reducing the effective entropy from 160 bits to 80 bits. This is layered on top of an unsalted SHA-1 scheme. The reduced entropy makes leaked or backed-up password hashes materially easier to brute-force.

This issue has been fixed in version 1.17.3.
Published: 2026-05-05
Score: 2 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The bug in Sandboxie‑Plus v1.17.2 and earlier causes the system to incorrectly extract the high nibble when converting a SHA‑1 digest to hexadecimal, zeroing out that nibble. The stored EditPassword hash therefore contains only the low nibble of each byte, shrinking the entropy from 160 bits to 80 bits. This vulnerability is identified as CWE‑328, indicating an inappropriate use of a cryptographic hash function. Because the hash is unsalted SHA‑1, an attacker who obtains the hash can brute‑force the original password far more quickly than with the full digest. The impact is reduced password hash entropy.

Affected Systems

The vulnerability affects Sandboxie‑Plus up to and including v1.17.2. Version 1.17.3 and later contain the fix. The issue lives in the EditPassword entry of the sandbox configuration files on Windows systems running the affected editions.

Risk and Exploitability

The CVSS score of 2 indicates low impact, and the EPSS score is not available. The vulnerability is not listed in CISA KEV, implying that widespread public exploitation has not been documented. Nonetheless, an attacker with access to the sandbox configuration – for instance via a backup or a local compromise – can obtain the compromised EditPassword hash and, due to the reduced entropy, perform a practical brute‑force attack. The likely attack vector is local or through any channel that exposes the sandbox configuration data. This inference is based on the description.

Generated by OpenCVE AI on May 5, 2026 at 21:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Sandboxie‑Plus to version 1.17.3 or newer.
  • After upgrading, reset the EditPassword to a new strong password to generate a hash with full entropy.
  • Secure or encrypt backups of sandbox configuration files to prevent accidental disclosure of the EditPassword hash.
  • If upgrading is not possible, disable the EditPassword feature or delete the stored hash to reset sandbox access control.

Generated by OpenCVE AI on May 5, 2026 at 21:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Sandboxie-plus
Sandboxie-plus sandboxie
Vendors & Products Sandboxie-plus
Sandboxie-plus sandboxie

Tue, 05 May 2026 20:00:00 +0000

Type Values Removed Values Added
Description Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, SbieIniServer::HashPassword converts a SHA-1 digest to hexadecimal incorrectly. The high nibble of each byte is shifted right by 8 instead of 4, which always produces zero for an 8-bit value. As a result, the stored EditPassword hash only preserves the low nibble of each digest byte, reducing the effective entropy from 160 bits to 80 bits. This is layered on top of an unsalted SHA-1 scheme. The reduced entropy makes leaked or backed-up password hashes materially easier to brute-force. This issue has been fixed in version 1.17.3.
Title Sandboxie-Plus EditPassword hash entropy reduced from 160 bits to 80 bits due to incorrect nibble extraction
Weaknesses CWE-328
References
Metrics cvssV4_0

{'score': 2, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Sandboxie-plus Sandboxie
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-05T19:33:24.638Z

Reserved: 2026-03-30T16:03:31.048Z

Link: CVE-2026-34527

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-05T20:16:37.930

Modified: 2026-05-05T20:16:37.930

Link: CVE-2026-34527

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T22:00:12Z

Weaknesses