Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
Sandboxie is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, a local denial of service vulnerability exists in the Sandboxie kernel driver. An unprivileged process running inside a Standard Sandbox can send a malformed IOCTL to the \Device\SandboxieDriverApi driver, triggering an immediate kernel crash (BSOD). The vulnerability affects the Standard Sandbox configuration both with and without dropped administrator privileges, but does not affect the Security Hardened Sandbox configuration. This issue has been fixed in version 1.17.3. Users who cannot update can use the Security Hardened Sandbox configuration as a workaround.
AnalysisAI
Local denial of service in Sandboxie 1.17.2 and earlier allows unprivileged processes inside Standard Sandbox configurations to crash the Windows kernel (BSOD) by sending malformed IOCTL requests to the SandboxieDriverApi kernel driver. Fixed in version 1.17.3 released by Sandboxie-Plus. Security Hardened Sandbox configurations are not affected. No active exploitation confirmed (not in CISA KEV), but the vulnerability is trivially exploitable by any process within an affected sandbox, enabling local attackers or malicious sandboxed applications to force immediate system-wide service disruption.
Technical ContextAI
This vulnerability affects the Sandboxie kernel-mode driver (SandboxieDriverApi), which provides the isolation enforcement layer for Windows-based sandbox environments. The flaw is rooted in CWE-20 (Improper Input Validation), specifically in the IOCTL (Input/Output Control) handler that processes requests from userspace processes to the kernel driver. IOCTLs are the communication mechanism between user-mode applications and Windows kernel drivers. When a sandboxed process sends a crafted IOCTL to the \Device\SandboxieDriverApi device object, insufficient validation of the IOCTL parameters or buffer structures triggers a kernel-mode exception, resulting in a bug check (BSOD). The vulnerability exists in the Standard Sandbox configuration, which provides application isolation without the additional kernel attack surface hardening present in the Security Hardened Sandbox mode. The affected product is cpe:2.3:a:sandboxie-plus:sandboxie:*:*:*:*:*:*:*:*, specifically versions prior to 1.17.3.
RemediationAI
Update to Sandboxie-Plus version 1.17.3 or later, released by the vendor to address this vulnerability alongside multiple other security issues including EditAdminOnly bypass via CRLF injection and weaknesses in ProcessServer validation (https://github.com/sandboxie-plus/Sandboxie/releases/tag/v1.17.3). Organizations unable to immediately deploy version 1.17.3 should switch affected sandboxes from Standard Sandbox configuration to Security Hardened Sandbox configuration, which is not vulnerable to this IOCTL validation flaw. This workaround provides immediate protection but may impose additional restrictions on sandboxed application functionality, including stricter system call filtering and reduced kernel driver interaction - test application compatibility before deploying to production malware analysis or application testing environments. For environments where Security Hardened mode breaks required functionality and patching is delayed, consider isolating Sandboxie hosts from critical infrastructure to limit blast radius of potential BSOD attacks, though this does not prevent the denial of service itself.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27436