Skip to main content

Sandboxie-Plus EUVDEUVD-2026-27462

| CVE-2026-34462 HIGH
Stack-based Buffer Overflow (CWE-121)
2026-05-05 GitHub_M
7.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.3 HIGH
CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
May 05, 2026 - 21:02 EUVD
Analysis Generated
May 05, 2026 - 20:31 vuln.today
CVSS changed
May 05, 2026 - 20:22 NVD
7.3 (HIGH)

DescriptionGitHub Advisory

Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, several ProcessServer handlers (KillAllHandler, SuspendAllHandler, and RunSandboxedHandler) copy a WCHAR boxname[34] field from request structures into WCHAR[40] stack buffers using wcscpy without verifying null termination. Because the service pipe accepts variable-length packets larger than the request structure, an attacker can fill the boxname field with non-zero data and append additional controlled wide characters after the structure. wcscpy then reads past the fixed field and overflows the destination stack buffer. The service pipe is created with a NULL DACL, allowing any local process to connect, and the unsafe copy occurs before authorization checks. This can lead to a crash of the SbieSvc service or potential code execution as SYSTEM. This issue has been fixed in version 1.17.3.

AnalysisAI

Stack-based buffer overflow in Sandboxie-Plus ProcessServer handlers allows local authenticated attackers to execute arbitrary code as SYSTEM or crash the SbieSvc service. The vulnerability affects versions 1.17.2 and earlier, stems from unsafe wcscpy operations on unchecked WCHAR fields from service pipe requests, and has been patched in version 1.17.3. The service pipe's NULL DACL permits any local process to connect and trigger the flaw before authorization checks execute, enabling privilege escalation from low-privileged local accounts. No public exploit code identified at time of analysis, though the technical details in the GitHub advisory provide sufficient information for skilled attackers to develop exploits.

Technical ContextAI

Sandboxie-Plus is a Windows isolation sandbox solution that runs a privileged service (SbieSvc) handling inter-process communication via named pipes. The vulnerability resides in ProcessServer handlers (KillAllHandler, SuspendAllHandler, RunSandboxedHandler) that process variable-length request structures containing a fixed-size WCHAR boxname[34] field. The service uses wcscpy to copy this field into a WCHAR[40] stack buffer without verifying null termination. Because the service pipe accepts packets larger than the declared request structure and is created with a NULL DACL (unrestricted access), any local process can send malformed requests with non-null-terminated boxname fields followed by attacker-controlled wide characters. The wcscpy function reads beyond the 34-character boundary, overflowing the 40-character destination buffer. This is a classic CWE-121 stack-based buffer overflow occurring in a privileged service context, triggered before the service performs authorization checks on the request.

RemediationAI

Upgrade immediately to Sandboxie-Plus version 1.17.3 or later, which contains fixes for the unsafe wcscpy operations in ProcessServer handlers. Download the patched release from the official GitHub repository (https://github.com/sandboxie-plus/Sandboxie/releases). If immediate patching is not feasible, implement these compensating controls with noted trade-offs: (1) Restrict local user access to systems running Sandboxie-Plus to only trusted administrators, reducing attacker opportunity to exploit the local-only vulnerability (trade-off: does not prevent exploitation by already-compromised limited accounts). (2) Configure filesystem ACLs to prevent unprivileged users from executing arbitrary local binaries that could connect to the service pipe (trade-off: may break legitimate application functionality and is difficult to enforce comprehensively). (3) Monitor SbieSvc service for unexpected crashes or restarts, which may indicate exploitation attempts (trade-off: provides detection only, not prevention, and crashes may indicate successful denial-of-service attacks). These workarounds are inferior to patching and should be considered temporary measures only. Vendor advisory with complete technical details: https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-9cjg-vh9m-hhx4.

Share

EUVD-2026-27462 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy