CVE-2026-34462 Overview
CVE-2026-34462 is a stack-based buffer overflow [CWE-121] in Sandboxie-Plus, an open source sandbox isolation tool for Windows. The flaw affects versions 1.17.2 and earlier in the SbieSvc service. Multiple ProcessServer handlers, including KillAllHandler, SuspendAllHandler, and RunSandboxedHandler, copy a WCHAR boxname[34] field from request structures into WCHAR[40] stack buffers using wcscpy without verifying null termination. The service pipe is created with a NULL DACL, so any local process can connect, and the unsafe copy executes before authorization checks. Exploitation can crash SbieSvc or potentially execute code as SYSTEM. The issue is fixed in version 1.17.3.
Critical Impact
A local attacker can trigger memory corruption in a SYSTEM-privileged service before any authorization check, enabling denial of service or local privilege escalation to SYSTEM.
Affected Products
- Sandboxie-Plus versions 1.17.2 and earlier
- SbieSvc Windows service component
- ProcessServer request handlers (KillAllHandler, SuspendAllHandler, RunSandboxedHandler)
Discovery Timeline
- 2026-05-05 - CVE-2026-34462 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-34462
Vulnerability Analysis
The vulnerability resides in ProcessServer request handlers within the SbieSvc Windows service. Each handler reads a boxname field declared as WCHAR[34] from a client-supplied request structure delivered over a named pipe. The handler then calls wcscpy to copy that field into a local WCHAR[40] stack buffer.
The service pipe accepts variable-length packets that can exceed the size of the request structure. An attacker fills the entire boxname field with non-zero wide characters, omitting the trailing null terminator. The attacker then appends additional controlled wide characters immediately after the structure within the same packet.
wcscpy continues reading past the 34-character field until it encounters a null terminator in the appended data. The destination 40-element stack buffer overflows, corrupting saved registers, return addresses, and adjacent stack data within the SbieSvc process running as SYSTEM.
Root Cause
The root cause is the absence of bounded copy semantics and the failure to enforce null termination on attacker-controlled input. The handlers trust the structural shape of the inbound packet rather than validating the length of boxname. Compounding the defect, the named pipe is configured with a NULL DACL, granting connect access to every local user, and the vulnerable copy runs before the handler reaches its authorization logic.
Attack Vector
Exploitation requires local access. A low-privileged local process opens the SbieSvc named pipe, builds a malformed request that targets KillAllHandler, SuspendAllHandler, or RunSandboxedHandler, packs an unterminated boxname field, and appends controlled wide characters to drive the overflow length. The service then performs the unsafe wcscpy in the SYSTEM context, yielding a crash or, with successful stack control, code execution as SYSTEM.
No verified public exploit code is available. See the GitHub Security Advisory GHSA-9cjg-vh9m-hhx4 for vendor technical details.
Detection Methods for CVE-2026-34462
Indicators of Compromise
- Unexpected crashes or restarts of the SbieSvc service in the Windows Service Control Manager logs.
- Windows Error Reporting (WER) entries referencing SbieSvc.exe with stack corruption or access violation exception codes such as 0xC0000005 or 0xC0000409.
- Non-Sandboxie processes opening handles to the SbieSvc named pipe and writing oversized packets.
Detection Strategies
- Hunt for processes other than SandMan.exe or Start.exe that connect to the SbieSvc control pipe.
- Alert on SbieSvc.exe termination events (Event ID 7034) followed by a service restart on the same host.
- Inspect crash dumps of SbieSvc.exe for return addresses or stack canaries overwritten with wide-character patterns.
Monitoring Recommendations
- Enable command-line and process-creation auditing (Event ID 4688) to capture local processes interacting with Sandboxie components.
- Forward Windows Application and System logs to a centralized analytics platform for correlation across hosts.
- Track installed Sandboxie-Plus versions across the fleet and flag any host running 1.17.2 or earlier.
How to Mitigate CVE-2026-34462
Immediate Actions Required
- Upgrade Sandboxie-Plus to version 1.17.3 on all Windows endpoints where it is installed.
- Inventory hosts running 1.17.2 or earlier and prioritize multi-user systems and developer workstations.
- Restrict local logon rights on systems where Sandboxie-Plus cannot be immediately updated.
Patch Information
The maintainers fixed the vulnerability in Sandboxie-Plus version 1.17.3. The patch addresses the unsafe wcscpy calls in the ProcessServer handlers and enforces bounded, null-terminated copies of the boxname field. Refer to the GitHub Security Advisory GHSA-9cjg-vh9m-hhx4 for the full fix description.
Workarounds
- If patching is delayed, stop and disable the SbieSvc service on hosts that do not actively need sandboxing.
- Limit interactive and remote logon to trusted administrators to reduce local attack surface.
- Monitor the SbieSvc named pipe for connections from unexpected processes and terminate suspicious sessions.
# Disable SbieSvc until the host is patched (run from elevated PowerShell)
Stop-Service -Name SbieSvc -Force
Set-Service -Name SbieSvc -StartupType Disabled
# Verify installed Sandboxie-Plus version
(Get-Item 'C:\Program Files\Sandboxie-Plus\SbieSvc.exe').VersionInfo.ProductVersion
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
