CVE-2025-64721
BaseFortify
Publication date: 2025-12-11
Last updated on: 2025-12-15
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sandboxie | sandboxie | 1.16.7 |
| sandboxie | sandboxie | 1.16.6 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-190 | The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Sandboxie versions 1.16.6 and below, where the SYSTEM-level service SbieSvc.exe exposes a function called SbieIniServer::RC4Crypt to sandboxed processes. The function improperly handles a caller-controlled length value without checking for overflow, leading to a heap overflow when large values are used. This allows sandboxed processes to execute arbitrary code with SYSTEM privileges, fully compromising the host system. The issue is fixed in version 1.16.7.
How can this vulnerability impact me? :
An attacker who can run code inside a sandboxed process can exploit this vulnerability to execute arbitrary code with SYSTEM-level privileges on the host machine. This means the attacker can fully compromise the host system, bypassing the sandbox isolation and gaining complete control over the affected computer.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Sandboxie to version 1.16.7 or later, as this version contains the fix for the vulnerability. Until the update is applied, avoid running untrusted sandboxed processes that could exploit the heap overflow to execute arbitrary code as SYSTEM.