Executive Summary

CVE-2026-34458 is an INI injection vulnerability in Sandboxie-Plus versions 1.17.2 and earlier. It allows any standard local user to bypass configuration restrictions and inject arbitrary directives into the global Sandboxie.ini configuration file.

The vulnerability occurs because the background service skips authorization checks for IPC messages targeting configuration sections starting with UserSettings_, but does not sanitize CRLF (Carriage Return Line Feed) characters in the value or setting name parameters. This enables attackers to inject new sandbox section headers with unrestricted permissions.

By exploiting this, an attacker can escape the sandbox environment and escalate privileges to SYSTEM level, effectively gaining full control over the system.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts as it allows any standard local user to bypass sandbox restrictions and escalate their privileges to SYSTEM level.

• Bypass of configuration restrictions such as EditAdminOnly and ConfigPassword.
• Injection of arbitrary directives into the global Sandboxie.ini file.
• Creation of malicious sandbox environments with unrestricted permissions.
• Sandbox escape leading to SYSTEM privilege escalation.
• Potential for arbitrary file writes and full control over the system.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves unauthorized injection of directives into the global Sandboxie.ini configuration file via IPC messages targeting sections beginning with UserSettings_. Detection involves monitoring for unusual modifications to the Sandboxie.ini file, especially new sandbox section headers with unrestricted permissions.

Since exploitation uses IPC messages with CRLF injection in the value or setting name parameters, detection can include monitoring IPC communication related to Sandboxie-Plus for suspicious messages containing CRLF characters or unexpected directives.

A practical approach is to check the Sandboxie.ini file for unexpected new sandbox sections or changes that bypass configuration restrictions.

• Use file integrity monitoring tools to detect changes in Sandboxie.ini.
• Manually inspect Sandboxie.ini for new or suspicious sandbox section headers.
• On Windows, use commands like `findstr` to search for suspicious entries, e.g., `findstr /C:"[SandboxName]" C:\Path\To\Sandboxie.ini`.
• Monitor IPC messages or logs if available, looking for messages with MSGID_SBIE_INI_ADD_SETTING or MSGID_SBIE_INI_SET_SETTING containing CRLF characters.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade Sandboxie-Plus to version 1.17.3 or later, where this vulnerability has been fixed.

Until the upgrade can be applied, restrict local user access to Sandboxie-Plus and its configuration files to prevent exploitation.

Implement file integrity monitoring on Sandboxie.ini to detect unauthorized changes promptly.

Consider limiting or monitoring IPC communication related to Sandboxie-Plus to detect or block suspicious messages.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0