CVE-2026-34459
Sandbox Escape via Stack Leak and Buffer Overflow in Sandboxie-Plus
Publication date: 2026-05-05
Last updated on: 2026-05-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sandboxie-plus | sandboxie-plus | to 1.17.3 (exc) |
| sandboxie-plus | sandboxie-plus | 1.17.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Sandboxie-Plus allows a sandboxed process to escape the sandbox and escalate privileges to SYSTEM, potentially leading to unauthorized access to sensitive data or system resources.
Such unauthorized privilege escalation and potential data exposure could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls on data access and protection against unauthorized disclosure.
However, the provided information does not explicitly discuss compliance impacts or regulatory considerations.
Can you explain this vulnerability to me?
CVE-2026-34459 is a critical vulnerability in Sandboxie-Plus versions 1.17.2 and earlier that allows a malicious sandboxed process to escape the sandbox and escalate privileges to SYSTEM.
The vulnerability involves two issues in the SbieSvc proxy service's GetRawInputDeviceInfoSlave handler: an uninitialized memory leak and a stack buffer overflow.
First, when a sandboxed process sends an IPC request with cbSize set to 0, up to 32KB of uninitialized stack memory from the service process is returned. This leaks return addresses and stack cookies, which bypasses security protections like ASLR and /GS.
Second, the handler performs a memcpy with an attacker-controlled length without verifying it fits within the 32KB stack buffer, enabling a stack buffer overflow.
By chaining the information leak with the overflow, an attacker can execute a ROP chain to achieve SYSTEM privilege escalation, even from a Security Hardened Sandbox.
Hardware mitigations like Intel CET can prevent the ROP chain execution but do not mitigate the information leak.
How can this vulnerability impact me? :
This vulnerability can allow a malicious sandboxed process to escape the sandbox environment and execute code with SYSTEM-level privileges on Windows systems.
An attacker can leverage the information leak and stack buffer overflow to bypass security protections and run arbitrary commands as SYSTEM, effectively gaining full control over the affected system.
Even systems with hardware-enforced shadow stacks (Intel CET) remain vulnerable to the information leak, which could be exploited by advanced attackers.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if the system is running Sandboxie-Plus version 1.17.2 or earlier, as these versions contain the vulnerable SbieSvc proxy service.
Since the vulnerability is exploited via crafted IPC requests to the GetRawInputDeviceInfoSlave handler, monitoring for unusual IPC requests with cbSize set to 0 or unexpected data sizes could indicate exploitation attempts.
No specific detection commands are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Sandboxie-Plus to version 1.17.3 or later, where this vulnerability has been fixed.
Additionally, hardware mitigations such as Intel CET (Control-flow Enforcement Technology) can prevent the execution of the ROP chain used in the exploit, although they do not mitigate the information leak itself.