CVE-2026-34464 Overview
CVE-2026-34464 is a stack-based buffer overflow [CWE-121] in Sandboxie-Plus, an open source sandbox-based isolation tool for Windows. The flaw resides in NamedPipeServer::OpenHandler, which copies the server field from a NAMED_PIPE_OPEN_REQ message into a fixed WCHAR pipename[160] stack buffer using wcscat without verifying null termination. A sandboxed caller can supply oversized wide-character data and overflow the buffer inside the SYSTEM-level SbieSvc service. Versions 1.17.2 and earlier are affected, and the issue is fixed in version 1.17.3.
Critical Impact
A sandboxed process can crash SbieSvc or potentially execute code as SYSTEM, defeating the isolation boundary that Sandboxie-Plus is designed to enforce.
Affected Products
- Sandboxie-Plus versions 1.17.2 and earlier
- SbieSvc SYSTEM service component
- NamedPipeServer IPC handler
Discovery Timeline
- 2026-05-05 - CVE CVE-2026-34464 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-34464
Vulnerability Analysis
The vulnerability lives in the named pipe IPC layer that SbieSvc exposes to sandboxed processes. When a sandboxed caller sends a NAMED_PIPE_OPEN_REQ message, NamedPipeServer::OpenHandler reads the request's server field and concatenates it into a fixed WCHAR pipename[160] stack buffer. The handler uses wcscat, which copies wide characters until it encounters a null terminator in the source.
The service pipe accepts variable-length messages and only enforces a minimum packet size. An attacker can populate the 48-byte server field with non-null wide characters and append additional controlled data after the structure. wcscat then reads past the fixed field, traversing into attacker-controlled bytes and writing far beyond the 160-WCHAR destination buffer on the stack.
Because SbieSvc runs as SYSTEM, a successful exploit promotes a sandboxed process to full SYSTEM privilege, breaking the security boundary Sandboxie-Plus is designed to provide.
Root Cause
The root cause is missing input validation. The handler trusts that server is null-terminated within its 48-byte field and does not bound the destination copy. Combining wcscat with an unterminated source field produces a classic stack buffer overflow [CWE-121].
Attack Vector
Exploitation requires local code execution inside a Sandboxie-Plus sandbox. The attacker crafts a NAMED_PIPE_OPEN_REQ message larger than the minimum size, fills server[48] with non-zero wide characters, and appends shellcode-bearing data. The message is sent to the SbieSvc named pipe, triggering the overflow in the SYSTEM service.
See the GitHub Security Advisory GHSA-cf8x-f33g-vwfg for vendor-supplied technical detail.
Detection Methods for CVE-2026-34464
Indicators of Compromise
- Unexpected crashes or restarts of the SbieSvc service on Windows endpoints running Sandboxie-Plus.
- Windows Error Reporting (WER) entries referencing SbieSvc.exe with stack corruption or access violation faults.
- Child processes spawned by SbieSvc.exe that fall outside the documented Sandboxie-Plus process tree.
Detection Strategies
- Inventory endpoints running Sandboxie-Plus and flag any host on version 1.17.2 or earlier.
- Monitor for anomalous named pipe activity targeting SbieSvc pipes from sandboxed processes.
- Alert on SYSTEM-level process creation lineage that originates from SbieSvc.exe after sandboxed activity.
Monitoring Recommendations
- Collect Sysmon Event ID 11 (file create) and Event ID 17/18 (named pipe events) for SbieSvc pipes.
- Forward Application and System event logs to a central platform to correlate SbieSvc faults with user activity.
- Track Sandboxie-Plus version inventory through endpoint management tooling and alert on outdated builds.
How to Mitigate CVE-2026-34464
Immediate Actions Required
- Upgrade Sandboxie-Plus to version 1.17.3 or later on every Windows host where it is deployed.
- Identify and decommission unmanaged or end-of-life Sandboxie-Plus installations that cannot be patched.
- Restrict who can run Sandboxie-Plus sandboxes on shared or multi-user systems until patching is complete.
Patch Information
The maintainers fixed the issue in Sandboxie-Plus 1.17.3 by correcting the unsafe concatenation in NamedPipeServer::OpenHandler. Refer to the Sandboxie-Plus security advisory GHSA-cf8x-f33g-vwfg for fixed-version download links and release notes.
Workarounds
- Stop and disable the SbieSvc service on systems where Sandboxie-Plus is not actively required.
- Avoid running untrusted code inside Sandboxie-Plus sandboxes on hosts that cannot be upgraded.
- Apply application allowlisting to prevent unknown binaries from launching inside sandboxes that interact with SbieSvc.
# Verify the installed Sandboxie-Plus version on Windows (PowerShell)
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" |
Where-Object { $_.DisplayName -like "*Sandboxie*" } |
Select-Object DisplayName, DisplayVersion, Publisher
# Stop and disable SbieSvc on hosts where Sandboxie-Plus is not required
Stop-Service -Name SbieSvc -Force
Set-Service -Name SbieSvc -StartupType Disabled
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
