Severity by source
CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionGitHub Advisory
Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, NamedPipeServer::OpenHandler copies the server field from NAMED_PIPE_OPEN_REQ into a fixed WCHAR pipename[160] stack buffer using wcscat without verifying null termination. The handler only enforces a minimum packet size, and since the service pipe accepts variable-length messages, a sandboxed caller can fill the server[48] field with non-zero data and append additional controlled wide characters after the structure. wcscat then reads past the fixed field and overflows the stack buffer in the SYSTEM service. This message is restricted to sandboxed callers, making it a sandbox escape vector. This can lead to a crash of the SbieSvc service or potential code execution as SYSTEM. This issue has been fixed in version 1.17.3.
AnalysisAI
Stack-based buffer overflow in Sandboxie-Plus SbieSvc service enables sandboxed processes to escape isolation and execute code as SYSTEM. Affected versions 1.17.2 and earlier allow malicious sandboxed code to overflow a fixed 160-wide-character stack buffer in NamedPipeServer::OpenHandler via crafted named pipe open requests, bypassing the fundamental security boundary Sandboxie provides. Fixed in version 1.17.3. EPSS data unavailable, no CISA KEV listing or public exploit identified at time of analysis, but the security boundary violation represents a complete defeat of Sandboxie's core function.
Technical ContextAI
Sandboxie-Plus is a Windows sandbox isolation tool that uses a kernel driver and user-mode service (SbieSvc) running as SYSTEM to intercept and restrict sandboxed process operations. The vulnerability resides in the named pipe IPC handler that processes NAMED_PIPE_OPEN_REQ messages from sandboxed processes. The NamedPipeServer::OpenHandler function uses the unsafe wcscat function to concatenate wide-character strings into a fixed WCHAR pipename[160] stack buffer without validating null termination of the source. The server[48] field from the request structure is treated as null-terminated, but an attacker can fill all 48 wide characters with non-zero values and append additional data beyond the structure boundary. Since the handler only validates minimum packet size rather than maximum, wcscat reads past the intended 48-character limit and writes attacker-controlled data beyond the 160-character stack buffer. This is a classic CWE-121 stack-based buffer overflow, representing a critical flaw in a security boundary enforcement component.
RemediationAI
Upgrade Sandboxie-Plus to version 1.17.3 or later immediately, available from the official GitHub releases at https://github.com/sandboxie-plus/Sandboxie/releases. Version 1.17.3 addresses the buffer overflow by implementing proper bounds checking and null termination validation in NamedPipeServer::OpenHandler. Review the vendor security advisory at https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-cf8x-f33g-vwfg for additional details. No effective workaround exists short of disabling Sandboxie entirely, as the vulnerable code path is integral to sandbox operation and processes all named pipe requests from sandboxed applications. Organizations using Sandboxie for malware analysis or application isolation should treat any sandbox created with versions 1.17.2 or earlier as potentially compromised if it executed untrusted code, and should upgrade before continuing sandbox operations. After upgrading, restart the SbieSvc service or reboot to ensure the patched version is active.
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Stack Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27464