Severity by source
CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionGitHub Advisory
Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, the SbieIniServer RunSbieCtrl handler contains a stack buffer overflow. The MSGID_SBIE_INI_RUN_SBIE_CTRL message is handled before normal sandbox and impersonation checks, and for non-sandboxed callers, the handler copies the trailing message payload into a fixed-size WCHAR ctrlCmd[128] stack buffer using memcpy without verifying the length fits within the buffer. The service pipe is created with a NULL DACL, allowing any local interactive process to connect and send an oversized payload to overflow the stack. This can lead to a crash of the SbieSvc service or potential code execution as SYSTEM. This issue has been fixed in version 1.17.3.
AnalysisAI
Local privilege escalation to SYSTEM in Sandboxie-Plus 1.17.2 and earlier allows low-privileged interactive users to trigger stack buffer overflow in SbieSvc service via unauthenticated IPC, bypassing sandbox isolation controls. The vulnerability exists in the RunSbieCtrl handler which processes crafted messages before security checks and copies unbounded input into a 128-character stack buffer. Fixed in version 1.17.3. EPSS data unavailable; not listed in CISA KEV at time of analysis, but publicly disclosed via GitHub Security Advisory with technical details sufficient for exploit development.
Technical ContextAI
Sandboxie-Plus is a Windows sandbox isolation software that runs a privileged service (SbieSvc) using named pipes for IPC. The vulnerability (CWE-121: Stack-based Buffer Overflow) occurs in the SbieIniServer component's MSGID_SBIE_INI_RUN_SBIE_CTRL message handler. The service creates a named pipe with a NULL DACL (Discretionary Access Control List), granting unrestricted access to any local interactive process. When processing the RunSbieCtrl message, the handler performs a memcpy operation from the message payload into a fixed-size WCHAR ctrlCmd[128] stack buffer (256 bytes) without length validation. Critically, this handler executes before the service's normal sandbox boundary checks and impersonation controls, meaning non-sandboxed callers can trigger the overflow. The affected CPE is cpe:2.3:a:sandboxie-plus:sandboxie:*:*:*:*:*:*:*:* covering versions through 1.17.2.
RemediationAI
Upgrade immediately to Sandboxie-Plus version 1.17.3 or later, which contains the fix for this stack buffer overflow. Download from the official Sandboxie-Plus GitHub releases page. For environments unable to patch immediately, implement the following compensating controls with trade-offs: (1) Restrict local interactive logon access to trusted administrators only via Group Policy (Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > 'Allow log on locally') - eliminates untrusted local attack surface but limits system usability for multi-user scenarios. (2) Deploy application control policies (AppLocker or Windows Defender Application Control) to prevent execution of unauthorized processes that could exploit the IPC interface - adds operational overhead for policy management and may break legitimate workflows. (3) Monitor SbieSvc service for unexpected crashes or restarts via Windows Event Log (System log, Event ID 7034) as potential exploitation indicator - detection-only control providing no prevention. Note: stopping the SbieSvc service entirely disables Sandboxie-Plus sandbox functionality, defeating the product's purpose. Detailed technical advisory: https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-wpjw-jh2p-gwx7
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Stack Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27461