Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-34464

CVE-2026-34464: Sandboxie-Plus RCE Vulnerability

CVE-2026-34464 is a remote code execution flaw in Sandboxie-Plus that allows sandbox escape through buffer overflow. This post explains its impact, affected versions through 1.17.2, and mitigation steps.

Published:

CVE-2026-34464 Overview

CVE-2026-34464 is a stack-based buffer overflow [CWE-121] in Sandboxie-Plus, an open source sandbox-based isolation tool for Windows. The flaw resides in NamedPipeServer::OpenHandler, which copies the server field from a NAMED_PIPE_OPEN_REQ message into a fixed WCHAR pipename[160] stack buffer using wcscat without verifying null termination. A sandboxed caller can supply oversized wide-character data and overflow the buffer inside the SYSTEM-level SbieSvc service. Versions 1.17.2 and earlier are affected, and the issue is fixed in version 1.17.3.

Critical Impact

A sandboxed process can crash SbieSvc or potentially execute code as SYSTEM, defeating the isolation boundary that Sandboxie-Plus is designed to enforce.

Affected Products

  • Sandboxie-Plus versions 1.17.2 and earlier
  • SbieSvc SYSTEM service component
  • NamedPipeServer IPC handler

Discovery Timeline

  • 2026-05-05 - CVE CVE-2026-34464 published to NVD
  • 2026-05-07 - Last updated in NVD database

Technical Details for CVE-2026-34464

Vulnerability Analysis

The vulnerability lives in the named pipe IPC layer that SbieSvc exposes to sandboxed processes. When a sandboxed caller sends a NAMED_PIPE_OPEN_REQ message, NamedPipeServer::OpenHandler reads the request's server field and concatenates it into a fixed WCHAR pipename[160] stack buffer. The handler uses wcscat, which copies wide characters until it encounters a null terminator in the source.

The service pipe accepts variable-length messages and only enforces a minimum packet size. An attacker can populate the 48-byte server field with non-null wide characters and append additional controlled data after the structure. wcscat then reads past the fixed field, traversing into attacker-controlled bytes and writing far beyond the 160-WCHAR destination buffer on the stack.

Because SbieSvc runs as SYSTEM, a successful exploit promotes a sandboxed process to full SYSTEM privilege, breaking the security boundary Sandboxie-Plus is designed to provide.

Root Cause

The root cause is missing input validation. The handler trusts that server is null-terminated within its 48-byte field and does not bound the destination copy. Combining wcscat with an unterminated source field produces a classic stack buffer overflow [CWE-121].

Attack Vector

Exploitation requires local code execution inside a Sandboxie-Plus sandbox. The attacker crafts a NAMED_PIPE_OPEN_REQ message larger than the minimum size, fills server[48] with non-zero wide characters, and appends shellcode-bearing data. The message is sent to the SbieSvc named pipe, triggering the overflow in the SYSTEM service.

See the GitHub Security Advisory GHSA-cf8x-f33g-vwfg for vendor-supplied technical detail.

Detection Methods for CVE-2026-34464

Indicators of Compromise

  • Unexpected crashes or restarts of the SbieSvc service on Windows endpoints running Sandboxie-Plus.
  • Windows Error Reporting (WER) entries referencing SbieSvc.exe with stack corruption or access violation faults.
  • Child processes spawned by SbieSvc.exe that fall outside the documented Sandboxie-Plus process tree.

Detection Strategies

  • Inventory endpoints running Sandboxie-Plus and flag any host on version 1.17.2 or earlier.
  • Monitor for anomalous named pipe activity targeting SbieSvc pipes from sandboxed processes.
  • Alert on SYSTEM-level process creation lineage that originates from SbieSvc.exe after sandboxed activity.

Monitoring Recommendations

  • Collect Sysmon Event ID 11 (file create) and Event ID 17/18 (named pipe events) for SbieSvc pipes.
  • Forward Application and System event logs to a central platform to correlate SbieSvc faults with user activity.
  • Track Sandboxie-Plus version inventory through endpoint management tooling and alert on outdated builds.

How to Mitigate CVE-2026-34464

Immediate Actions Required

  • Upgrade Sandboxie-Plus to version 1.17.3 or later on every Windows host where it is deployed.
  • Identify and decommission unmanaged or end-of-life Sandboxie-Plus installations that cannot be patched.
  • Restrict who can run Sandboxie-Plus sandboxes on shared or multi-user systems until patching is complete.

Patch Information

The maintainers fixed the issue in Sandboxie-Plus 1.17.3 by correcting the unsafe concatenation in NamedPipeServer::OpenHandler. Refer to the Sandboxie-Plus security advisory GHSA-cf8x-f33g-vwfg for fixed-version download links and release notes.

Workarounds

  • Stop and disable the SbieSvc service on systems where Sandboxie-Plus is not actively required.
  • Avoid running untrusted code inside Sandboxie-Plus sandboxes on hosts that cannot be upgraded.
  • Apply application allowlisting to prevent unknown binaries from launching inside sandboxes that interact with SbieSvc.
bash
# Verify the installed Sandboxie-Plus version on Windows (PowerShell)
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" |
  Where-Object { $_.DisplayName -like "*Sandboxie*" } |
  Select-Object DisplayName, DisplayVersion, Publisher

# Stop and disable SbieSvc on hosts where Sandboxie-Plus is not required
Stop-Service -Name SbieSvc -Force
Set-Service -Name SbieSvc -StartupType Disabled

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.