CVE-2026-34458 Overview
CVE-2026-34458 is an INI injection vulnerability in Sandboxie-Plus, an open source sandbox-based isolation tool for Windows. Versions 1.17.2 and earlier allow any standard local user to bypass the EditAdminOnly and ConfigPassword configuration restrictions. The Sandboxie background service skips authorization checks for IPC messages targeting sections that begin with UserSettings_, and it fails to sanitize CRLF characters passed through the value or setting name parameters. An attacker can inject arbitrary directives into the global Sandboxie.ini file, including a new sandbox section header with unrestricted permissions. This enables sandbox escape and SYSTEM privilege escalation. The issue is fixed in version 1.17.3.
Critical Impact
A low-privileged local user can inject configuration directives into Sandboxie.ini and escalate to SYSTEM by abusing the privileged Sandboxie service.
Affected Products
- Sandboxie-Plus version 1.17.2 and earlier
- Sandboxie background service component (SbieSvc)
- Global configuration file Sandboxie.ini
Discovery Timeline
- 2026-05-05 - CVE-2026-34458 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-34458
Vulnerability Analysis
The flaw is a CRLF Injection issue ([CWE-93]) in how the Sandboxie service processes IPC configuration messages. Sandboxie-Plus stores its global configuration in Sandboxie.ini, a file normally writable only by administrators. To allow user-specific preferences, the service exposes IPC handlers that bypass authorization for any section name beginning with UserSettings_.
Two IPC message handlers, MSGID_SBIE_INI_ADD_SETTING and MSGID_SBIE_INI_SET_SETTING, write attacker-controlled data into the INI file without filtering carriage return or line feed characters. Embedding \r\n in either the value or the setting name terminates the current section and lets the attacker append a new INI section with arbitrary directives.
Root Cause
The service treats the UserSettings_ prefix as a trust boundary, then writes user-supplied content directly to the privileged INI file. There is no validation that the value or setting name is a single line. Because INI parsing is line-oriented, injected CRLF sequences allow an attacker to define new sandbox sections with options that grant unrestricted access, drop SYSTEM-level startup commands, or override administrator-defined restrictions.
Attack Vector
A standard local user crafts an IPC message to the Sandboxie service targeting a UserSettings_ section. The value parameter contains a payload such as a setting followed by \r\n[GlobalSettings]\r\n or a new [BoxName] header with elevated permissions. The service writes the payload verbatim into Sandboxie.ini. On the next sandbox launch, the injected box runs with attacker-defined privileges, enabling sandbox escape and code execution as NT AUTHORITY\SYSTEM.
No public proof-of-concept exploit is available at the time of publication. See the GitHub Security Advisory GHSA-6xqg-2cjq-95qf for vendor technical detail.
Detection Methods for CVE-2026-34458
Indicators of Compromise
- Unexpected new section headers in Sandboxie.ini, particularly sandbox sections not created by an administrator
- UserSettings_ entries that contain embedded \r\n sequences or directive-like content in their values
- Modifications to Sandboxie.ini timestamped outside known administrator change windows
- Sandboxes configured with permissive options such as unrestricted file or process access added by non-admin users
Detection Strategies
- Monitor file integrity on Sandboxie.ini and alert on writes performed while no administrative session is active
- Inspect IPC traffic to SbieSvc for MSGID_SBIE_INI_ADD_SETTING and MSGID_SBIE_INI_SET_SETTING messages whose payloads contain 0x0D 0x0A byte sequences
- Compare current Sandboxie.ini against a known-good baseline and flag new section headers
Monitoring Recommendations
- Enable Windows file system auditing on the Sandboxie installation directory and forward events to your SIEM
- Track parent-child process relationships where SbieSvc.exe spawns sandboxed processes with unexpected token integrity levels
- Review Sandboxie service logs for configuration changes attributed to non-administrator SIDs
How to Mitigate CVE-2026-34458
Immediate Actions Required
- Upgrade Sandboxie-Plus to version 1.17.3 or later on all Windows endpoints
- Audit Sandboxie.ini for unauthorized sections or directives and revert any unexpected entries
- Restrict local user accounts that do not require Sandboxie functionality from interacting with the service
Patch Information
The vendor released a fix in Sandboxie Release v1.17.3. The patch sanitizes CRLF characters in both the value and setting name parameters handled by MSGID_SBIE_INI_ADD_SETTING and MSGID_SBIE_INI_SET_SETTING, closing the INI injection path.
Workarounds
- If patching is delayed, restrict access to the Sandboxie IPC endpoint to administrators only via host-based access controls
- Set Sandboxie.ini to read-only and revoke write access from the service account where operationally feasible
- Remove Sandboxie-Plus from systems where it is not actively required until the upgrade is applied
# Verify installed Sandboxie-Plus version on Windows (PowerShell)
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" |
Where-Object { $_.DisplayName -like "Sandboxie-Plus*" } |
Select-Object DisplayName, DisplayVersion
# Baseline Sandboxie.ini for change detection
Get-FileHash "C:\Program Files\Sandboxie-Plus\Sandboxie.ini" -Algorithm SHA256
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
