CVE-2026-34459
Analyzed Analyzed - Analysis Complete
Sandbox Escape via Stack Leak and Buffer Overflow in Sandboxie-Plus

Publication date: 2026-05-05

Last updated on: 2026-05-07

Assigner: GitHub, Inc.

Description
Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, the SbieSvc proxy service's GetRawInputDeviceInfoSlave handler contains two vulnerabilities that can be chained for sandbox escape. First, when a sandboxed process sends an IPC request with cbSize set to 0, up to 32KB of uninitialized stack memory from the service process is returned, leaking return addresses and stack cookies which bypass ASLR and /GS protections. Second, the handler performs a memcpy with an attacker-controlled length without verifying it fits within the 32KB stack buffer, enabling a stack buffer overflow. By chaining the information leak with the overflow, a sandboxed process can execute a ROP chain to achieve SYSTEM privilege escalation, even from a Security Hardened Sandbox. Hardware-enforced shadow stacks (Intel CET) prevent the ROP chain execution but do not mitigate the information leak. This issue has been fixed in version 1.17.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-05
Last Modified
2026-05-07
Generated
2026-06-16
AI Q&A
2026-05-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34459
EUVD
EUVD-2026-27458
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sandboxie-plus sandboxie to 1.17.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in Sandboxie-Plus allows a sandboxed process to escape the sandbox and escalate privileges to SYSTEM, potentially leading to unauthorized access to sensitive data or system resources.

Such unauthorized privilege escalation and potential data exposure could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls on data access and protection against unauthorized disclosure.

However, the provided information does not explicitly discuss compliance impacts or regulatory considerations.

Executive Summary

CVE-2026-34459 is a critical vulnerability in Sandboxie-Plus versions 1.17.2 and earlier that allows a malicious sandboxed process to escape the sandbox and escalate privileges to SYSTEM.

The vulnerability involves two issues in the SbieSvc proxy service's GetRawInputDeviceInfoSlave handler: an uninitialized memory leak and a stack buffer overflow.

First, when a sandboxed process sends an IPC request with cbSize set to 0, up to 32KB of uninitialized stack memory from the service process is returned. This leaks return addresses and stack cookies, which bypasses security protections like ASLR and /GS.

Second, the handler performs a memcpy with an attacker-controlled length without verifying it fits within the 32KB stack buffer, enabling a stack buffer overflow.

By chaining the information leak with the overflow, an attacker can execute a ROP chain to achieve SYSTEM privilege escalation, even from a Security Hardened Sandbox.

Hardware mitigations like Intel CET can prevent the ROP chain execution but do not mitigate the information leak.

Impact Analysis

This vulnerability can allow a malicious sandboxed process to escape the sandbox environment and execute code with SYSTEM-level privileges on Windows systems.

An attacker can leverage the information leak and stack buffer overflow to bypass security protections and run arbitrary commands as SYSTEM, effectively gaining full control over the affected system.

Even systems with hardware-enforced shadow stacks (Intel CET) remain vulnerable to the information leak, which could be exploited by advanced attackers.

Detection Guidance

Detection of this vulnerability involves identifying if the system is running Sandboxie-Plus version 1.17.2 or earlier, as these versions contain the vulnerable SbieSvc proxy service.

Since the vulnerability is exploited via crafted IPC requests to the GetRawInputDeviceInfoSlave handler, monitoring for unusual IPC requests with cbSize set to 0 or unexpected data sizes could indicate exploitation attempts.

No specific detection commands are provided in the available resources.

Mitigation Strategies

The immediate mitigation step is to upgrade Sandboxie-Plus to version 1.17.3 or later, where this vulnerability has been fixed.

Additionally, hardware mitigations such as Intel CET (Control-flow Enforcement Technology) can prevent the execution of the ROP chain used in the exploit, although they do not mitigate the information leak itself.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34459. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart