Skip to main content

Sandboxie CVE-2026-32603

| EUVDEUVD-2026-27436 HIGH
Improper Input Validation (CWE-20)
2026-05-05 GitHub_M
8.2
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.2 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Source Code Evidence Fetched
May 05, 2026 - 22:00 vuln.today
Analysis Generated
May 05, 2026 - 22:00 vuln.today
Patch available
May 05, 2026 - 21:02 EUVD
CVSS changed
May 05, 2026 - 20:22 NVD
8.2 (HIGH)

DescriptionGitHub Advisory

Sandboxie is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, a local denial of service vulnerability exists in the Sandboxie kernel driver. An unprivileged process running inside a Standard Sandbox can send a malformed IOCTL to the \Device\SandboxieDriverApi driver, triggering an immediate kernel crash (BSOD). The vulnerability affects the Standard Sandbox configuration both with and without dropped administrator privileges, but does not affect the Security Hardened Sandbox configuration. This issue has been fixed in version 1.17.3. Users who cannot update can use the Security Hardened Sandbox configuration as a workaround.

AnalysisAI

Local denial of service in Sandboxie 1.17.2 and earlier allows unprivileged processes inside Standard Sandbox configurations to crash the Windows kernel (BSOD) by sending malformed IOCTL requests to the SandboxieDriverApi kernel driver. Fixed in version 1.17.3 released by Sandboxie-Plus. Security Hardened Sandbox configurations are not affected. No active exploitation confirmed (not in CISA KEV), but the vulnerability is trivially exploitable by any process within an affected sandbox, enabling local attackers or malicious sandboxed applications to force immediate system-wide service disruption.

Technical ContextAI

This vulnerability affects the Sandboxie kernel-mode driver (SandboxieDriverApi), which provides the isolation enforcement layer for Windows-based sandbox environments. The flaw is rooted in CWE-20 (Improper Input Validation), specifically in the IOCTL (Input/Output Control) handler that processes requests from userspace processes to the kernel driver. IOCTLs are the communication mechanism between user-mode applications and Windows kernel drivers. When a sandboxed process sends a crafted IOCTL to the \Device\SandboxieDriverApi device object, insufficient validation of the IOCTL parameters or buffer structures triggers a kernel-mode exception, resulting in a bug check (BSOD). The vulnerability exists in the Standard Sandbox configuration, which provides application isolation without the additional kernel attack surface hardening present in the Security Hardened Sandbox mode. The affected product is cpe:2.3:a:sandboxie-plus:sandboxie:*:*:*:*:*:*:*:*, specifically versions prior to 1.17.3.

RemediationAI

Update to Sandboxie-Plus version 1.17.3 or later, released by the vendor to address this vulnerability alongside multiple other security issues including EditAdminOnly bypass via CRLF injection and weaknesses in ProcessServer validation (https://github.com/sandboxie-plus/Sandboxie/releases/tag/v1.17.3). Organizations unable to immediately deploy version 1.17.3 should switch affected sandboxes from Standard Sandbox configuration to Security Hardened Sandbox configuration, which is not vulnerable to this IOCTL validation flaw. This workaround provides immediate protection but may impose additional restrictions on sandboxed application functionality, including stricter system call filtering and reduced kernel driver interaction - test application compatibility before deploying to production malware analysis or application testing environments. For environments where Security Hardened mode breaks required functionality and patching is delayed, consider isolating Sandboxie hosts from critical infrastructure to limit blast radius of potential BSOD attacks, though this does not prevent the denial of service itself.

Share

CVE-2026-32603 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy