Skip to main content

Sandboxie-Plus CVE-2026-34459

| EUVDEUVD-2026-27458 HIGH
Stack-based Buffer Overflow (CWE-121)
2026-05-05 GitHub_M
8.8
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.8 HIGH
CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
May 05, 2026 - 21:02 EUVD
Analysis Generated
May 05, 2026 - 20:30 vuln.today
CVSS changed
May 05, 2026 - 20:22 NVD
8.8 (HIGH)

DescriptionGitHub Advisory

Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, the SbieSvc proxy service's GetRawInputDeviceInfoSlave handler contains two vulnerabilities that can be chained for sandbox escape. First, when a sandboxed process sends an IPC request with cbSize set to 0, up to 32KB of uninitialized stack memory from the service process is returned, leaking return addresses and stack cookies which bypass ASLR and /GS protections. Second, the handler performs a memcpy with an attacker-controlled length without verifying it fits within the 32KB stack buffer, enabling a stack buffer overflow. By chaining the information leak with the overflow, a sandboxed process can execute a ROP chain to achieve SYSTEM privilege escalation, even from a Security Hardened Sandbox. Hardware-enforced shadow stacks (Intel CET) prevent the ROP chain execution but do not mitigate the information leak. This issue has been fixed in version 1.17.3.

AnalysisAI

Stack buffer overflow in Sandboxie-Plus SbieSvc proxy service enables SYSTEM privilege escalation from sandboxed processes, including Security Hardened Sandboxes. Attackers chain an information disclosure (returning up to 32KB uninitialized stack memory with ASLR/stack cookie bypass) with an unbounded memcpy overflow in the GetRawInputDeviceInfoSlave IPC handler. Intel CET shadow stacks block ROP exploitation but not the information leak itself. Vendor-released patch available in version 1.17.3. No public exploit identified at time of analysis, but attack complexity is rated high (AC:H) with low privilege requirements (PR:L), making this viable for motivated attackers targeting sandbox environments.

Technical ContextAI

Sandboxie-Plus is a Windows application sandboxing solution that isolates untrusted processes using a kernel driver and user-mode service (SbieSvc). The vulnerability resides in the SbieSvc proxy service's IPC handler for GetRawInputDeviceInfo, which wraps Windows raw input device enumeration APIs. The flaw is a classic CWE-121 stack-based buffer overflow combined with uninitialized memory disclosure. When handling IPC requests from sandboxed processes, the service allocates a 32KB stack buffer but fails to validate the cbSize parameter before calling memcpy, allowing length-controlled overwrites. Setting cbSize=0 triggers a separate code path that returns stack garbage containing security-critical data (return addresses for ASLR bypass, stack cookies for /GS mitigation bypass). The local attack vector (AV:L) reflects the design: exploitation requires code execution inside a Sandboxie sandbox, which by definition runs locally on the target system. Attack complexity is high (AC:H) because successful exploitation requires precise memory layout knowledge, ROP chain construction, and coordination between the information leak and overflow primitives. The AT:P (Attack Requirements: Present) metric indicates specific conditions must exist for exploitation.

RemediationAI

Upgrade to Sandboxie-Plus version 1.17.3 or later, which addresses both the uninitialized memory disclosure and unbounded memcpy in the GetRawInputDeviceInfoSlave handler per GitHub advisory GHSA-7cpc-5hv7-rfmh. Organizations unable to immediately patch should consider disabling Sandboxie on systems where sandboxed processes originate from untrusted sources (malware analysis, web browser isolation), as exploitation requires code execution inside a sandbox. Hardware-enforced shadow stacks (Intel CET/Shadow Stack) provide partial mitigation by preventing ROP chain execution but do not address the information leak component, which could enable subsequent exploitation of other vulnerabilities. Restricting local user privileges does not mitigate this issue since PR:L (low privilege) sandboxed processes can exploit it. For air-gapped analysis environments, prioritize patching systems where sandbox escape would grant access to sensitive networks or data, as the SYSTEM escalation provides full host compromise. No workaround eliminates the vulnerability short of disabling the SbieSvc service entirely, which breaks all Sandboxie functionality.

More in Intel

View all
CVE-2017-5689 CRITICAL POC
9.8 May 02

An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel Active Mana

CVE-2012-5958 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-0217 HIGH POC
7.2 Jun 12

The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and

CVE-2012-5959 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5964 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5963 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5961 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5965 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5962 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5960 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2015-2291 HIGH POC
7.8 Aug 09

Local privilege escalation to SYSTEM in Intel Ethernet diagnostics driver (IQVW32.sys/IQVW64.sys versions before 1.3.1.0

CVE-2024-44308 HIGH
8.8 Nov 20

Arbitrary code execution in Apple Safari, iOS/iPadOS, macOS Sequoia, and visionOS occurs when processing maliciously cra

Share

CVE-2026-34459 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy