Description
Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, a Time-of-Check-to-Time-of-Use (TOCTOU) race condition exists during addon installation. When a user installs an addon through the SandMan interface, UpdUtil.exe is spawned as SYSTEM by SbieSvc but stages files in the user-writable %TEMP%\sandboxie-updater directory. After UpdUtil verifies file hashes against the signed addon manifest, install.bat extracts files.cab and executes config.exe from its contents. Between hash verification and extraction, an unprivileged user can replace files.cab with a crafted cabinet containing a malicious executable, which is then run as SYSTEM. No UAC prompt is required.

This issue has been fixed in version 1.17.3.
Published: 2026-05-05
Score: 5.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Sandboxie-Plus includes an UpdUtil add‑on installer that runs as SYSTEM. The installer performs a TOCTOU check: it verifies hashes of a cabinet file, then extracts and runs executables from that cabinet. An attacker can replace the cabinet with a crafted file between the hash verification and extraction, causing a malicious executable to run with SYSTEM privileges. The flaw therefore allows a local user to gain SYSTEM rights without triggering User‑Account Control.

Affected Systems

The vulnerability is present in Sandboxie‑Plus 1.17.2 and all earlier releases. Users running those versions on Windows are exposed. The issue was addressed in version 1.17.3, which contains a fixed installation routine that prevents the race.

Risk and Exploitability

The CVSS score of 5.4 classifies the risk as medium severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog, indicating no known widespread exploitation. The likely attack vector requires an authenticated local user capable of installing an add‑on via the SandMan interface. Because the race occurs before UAC prompts, the exploit can be executed silently.

Generated by OpenCVE AI on May 5, 2026 at 21:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Sandboxie-Plus to version 1.17.3 or later.
  • Disable or remove any legacy add‑on installations that write to %TEMP%\sandboxie-updater until the upgrade is applied.
  • Verify that no custom or third‑party add‑ons are installed from untrusted sources after updating, and reinstall only trusted ones.

Generated by OpenCVE AI on May 5, 2026 at 21:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Sandboxie-plus
Sandboxie-plus sandboxie
Vendors & Products Sandboxie-plus
Sandboxie-plus sandboxie

Tue, 05 May 2026 20:00:00 +0000

Type Values Removed Values Added
Description Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, a Time-of-Check-to-Time-of-Use (TOCTOU) race condition exists during addon installation. When a user installs an addon through the SandMan interface, UpdUtil.exe is spawned as SYSTEM by SbieSvc but stages files in the user-writable %TEMP%\sandboxie-updater directory. After UpdUtil verifies file hashes against the signed addon manifest, install.bat extracts files.cab and executes config.exe from its contents. Between hash verification and extraction, an unprivileged user can replace files.cab with a crafted cabinet containing a malicious executable, which is then run as SYSTEM. No UAC prompt is required. This issue has been fixed in version 1.17.3.
Title Sandboxie-Plus local privilege escalation via TOCTOU race condition in UpdUtil addon installation
Weaknesses CWE-367
References
Metrics cvssV4_0

{'score': 5.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Sandboxie-plus Sandboxie
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-05T19:34:50.986Z

Reserved: 2026-03-30T17:15:52.499Z

Link: CVE-2026-34596

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-05T20:16:38.080

Modified: 2026-05-05T20:16:38.080

Link: CVE-2026-34596

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T21:30:05Z

Weaknesses