CVE-2026-34461
Analyzed Analyzed - Analysis Complete
Stack Buffer Overflow in Sandboxie-Plus

Publication date: 2026-05-05

Last updated on: 2026-05-07

Assigner: GitHub, Inc.

Description
Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, the SbieIniServer RunSbieCtrl handler contains a stack buffer overflow. The MSGID_SBIE_INI_RUN_SBIE_CTRL message is handled before normal sandbox and impersonation checks, and for non-sandboxed callers, the handler copies the trailing message payload into a fixed-size WCHAR ctrlCmd[128] stack buffer using memcpy without verifying the length fits within the buffer. The service pipe is created with a NULL DACL, allowing any local interactive process to connect and send an oversized payload to overflow the stack. This can lead to a crash of the SbieSvc service or potential code execution as SYSTEM. This issue has been fixed in version 1.17.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-05
Last Modified
2026-05-07
Generated
2026-06-16
AI Q&A
2026-05-05
EPSS Evaluated
2026-06-14
NVD
CVE-2026-34461
EUVD
EUVD-2026-27461
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sandboxie-plus sandboxie to 1.17.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-34461 is a high-severity stack-based buffer overflow vulnerability in Sandboxie-Plus, an open source sandboxing software for Windows. The flaw exists in the SbieIniServer component, specifically in the handling of the MSGID_SBIE_INI_RUN_SBIE_CTRL message.

The vulnerability occurs because the service processes this message before performing sandbox or impersonation checks, allowing any local interactive process to send an oversized payload. This payload is copied into a fixed-size stack buffer (ctrlCmd[128]) without verifying that the payload fits, leading to a stack overflow.

Exploitation can cause the SbieSvc service to crash or potentially allow an attacker to execute arbitrary code with SYSTEM privileges, resulting in local privilege escalation. The issue affects versions up to 1.17.2 and was fixed in version 1.17.3.

Impact Analysis

This vulnerability can impact you by allowing a local attacker to crash the Sandboxie service, causing denial of service.

More seriously, it can enable an attacker to execute arbitrary code with SYSTEM-level privileges on the affected system, leading to a full local privilege escalation.

This means an attacker with local access could gain control over the system, bypassing sandbox restrictions and potentially compromising system integrity and security.

Detection Guidance

This vulnerability can be detected by monitoring for abnormal crashes or instability of the SbieSvc service, which may indicate exploitation attempts. Since the vulnerability involves sending an oversized payload to the Sandboxie service pipe, detection can focus on identifying local processes connecting to the Sandboxie service and sending unusually large or malformed messages.

Specific commands to detect exploitation attempts are not provided in the available resources. However, general approaches include:

  • Using Windows Event Viewer or service logs to check for crashes or errors related to SbieSvc.
  • Using process monitoring tools (e.g., Sysinternals Process Monitor) to observe local processes interacting with the Sandboxie service.
  • Using network or IPC monitoring tools to detect local connections to the Sandboxie service pipe with oversized payloads.
Mitigation Strategies

The immediate mitigation step is to upgrade Sandboxie-Plus to version 1.17.3 or later, where this vulnerability has been fixed.

Until the upgrade can be applied, consider restricting local access to the Sandboxie service pipe to trusted users only, as the service pipe is created with a NULL DACL allowing any local interactive process to connect.

Monitoring for suspicious activity targeting the Sandboxie service and limiting local user privileges can also help reduce the risk of exploitation.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34461. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart