CVE-2026-34461 Overview
CVE-2026-34461 is a stack buffer overflow [CWE-121] in Sandboxie-Plus, an open source sandbox-based isolation tool for Windows. The flaw exists in the SbieIniServerRunSbieCtrl handler in versions 1.17.2 and earlier. The handler processes the MSGID_SBIE_INI_RUN_SBIE_CTRL message before standard sandbox and impersonation checks. For non-sandboxed callers, it copies the trailing payload into a fixed-size WCHAR ctrlCmd[128] stack buffer using memcpy without length validation. The service pipe is created with a NULL discretionary access control list (DACL), allowing any local interactive process to send an oversized payload. The issue is fixed in version 1.17.3.
Critical Impact
A local attacker can crash the SbieSvc service or potentially execute arbitrary code as SYSTEM by sending an oversized payload over the unprotected service pipe.
Affected Products
- Sandboxie-Plus version 1.17.2
- Sandboxie-Plus versions earlier than 1.17.2
- SbieSvc service component (SbieIniServerRunSbieCtrl handler)
Discovery Timeline
- 2026-05-05 - CVE-2026-34461 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-34461
Vulnerability Analysis
The vulnerability is a classic stack-based buffer overflow [CWE-121] in the Sandboxie-Plus service component SbieSvc. When the service receives a MSGID_SBIE_INI_RUN_SBIE_CTRL message, the RunSbieCtrl handler in SbieIniServer processes the request before performing sandbox membership and impersonation checks. The handler copies the trailing message payload into a fixed-size local buffer declared as WCHAR ctrlCmd[128] using memcpy. No bounds check validates that the supplied length fits within the 256-byte destination. An attacker controlling the payload size and contents overwrites adjacent stack memory, including the saved return address and structured exception handler records.
Root Cause
Two distinct defects combine to enable exploitation. First, the SbieSvc named pipe is created with a NULL DACL, granting connect access to any local interactive process. Second, the RunSbieCtrl message dispatch path runs before authorization and length validation, calling memcpy with an attacker-controlled size into a fixed stack buffer.
Attack Vector
A local, low-privileged user opens the SbieSvc named pipe, constructs a MSGID_SBIE_INI_RUN_SBIE_CTRL request with a payload larger than 256 bytes, and writes it to the pipe. The handler dispatches the message before sandbox checks and copies the payload onto the stack. The overflow corrupts the stack frame, producing either a service crash or arbitrary code execution in the context of SbieSvc, which runs as SYSTEM.
No verified proof-of-concept code is published. See the GitHub Security Advisory GHSA-wpjw-jh2p-gwx7 for vendor technical details.
Detection Methods for CVE-2026-34461
Indicators of Compromise
- Unexpected crashes or restarts of the SbieSvc Windows service, with Application or System event log entries referencing access violations.
- Windows Error Reporting (WER) dumps for SbieSvc.exe containing oversized data on the stack near the ctrlCmd buffer.
- Local processes with no legitimate Sandboxie integration opening handles to the SbieSvc named pipe.
- New SYSTEM-level child processes spawned by SbieSvc.exe outside normal sandbox launch flows.
Detection Strategies
- Inventory endpoints running Sandboxie-Plus and identify any installation at version 1.17.2 or earlier.
- Monitor for process creation events where the parent is SbieSvc.exe and the child is not a known sandboxed program.
- Alert on repeated SbieSvc service termination or restart events within short time windows.
- Hunt for unusual local pipe connections to \\.\pipe\SbieSvcPort from unexpected user processes.
Monitoring Recommendations
- Forward Sysmon Event ID 1 (process create) and Event ID 17/18 (named pipe events) for SbieSvc.exe to a central log store.
- Track Windows Service Control Manager events 7031 and 7034 for the SbieSvc service.
- Capture and review WER crash dumps for SbieSvc.exe to identify exploitation attempts that fail before achieving code execution.
How to Mitigate CVE-2026-34461
Immediate Actions Required
- Upgrade Sandboxie-Plus to version 1.17.3 or later on every Windows host where it is installed.
- If immediate patching is not possible, stop and disable the SbieSvc service on systems that do not actively require sandboxing.
- Restrict local interactive logon on multi-user systems to limit which accounts can reach the vulnerable pipe.
- Verify the running service version after deployment to confirm the patched binary is loaded.
Patch Information
The maintainers fixed this issue in Sandboxie-Plus 1.17.3. The patched build adds length validation to the RunSbieCtrl handler and reorders message handling so authorization checks precede payload copy operations. Refer to the GitHub Security Advisory GHSA-wpjw-jh2p-gwx7 for the official advisory and release notes.
Workarounds
- Uninstall Sandboxie-Plus on systems where it is not required pending the upgrade to 1.17.3.
- Use Windows AppLocker or Windows Defender Application Control to block execution of unauthorized binaries that could connect to the SbieSvc pipe.
- Limit interactive sessions on shared workstations and servers, since the attack requires local code execution.
# Verify installed Sandboxie-Plus version on Windows
powershell -Command "Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*' | Where-Object { $_.DisplayName -like 'Sandboxie*' } | Select-Object DisplayName, DisplayVersion"
# Stop and disable SbieSvc until patch is applied
sc.exe stop SbieSvc
sc.exe config SbieSvc start= disabled
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
