CVE-2026-34461
Stack Buffer Overflow in Sandboxie-Plus
Publication date: 2026-05-05
Last updated on: 2026-05-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sandboxie-plus | sandboxie-plus | to 1.17.3 (exc) |
| sandboxie-plus | sandboxie-plus | 1.17.3 |
| sandboxie_plus | sandboxie | to 1.17.2 (inc) |
| sandboxie_plus | sandboxie | 1.17.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-34461 is a high-severity stack-based buffer overflow vulnerability in Sandboxie-Plus, an open source sandboxing software for Windows. The flaw exists in the SbieIniServer component, specifically in the handling of the MSGID_SBIE_INI_RUN_SBIE_CTRL message.
The vulnerability occurs because the service processes this message before performing sandbox or impersonation checks, allowing any local interactive process to send an oversized payload. This payload is copied into a fixed-size stack buffer (ctrlCmd[128]) without verifying that the payload fits, leading to a stack overflow.
Exploitation can cause the SbieSvc service to crash or potentially allow an attacker to execute arbitrary code with SYSTEM privileges, resulting in local privilege escalation. The issue affects versions up to 1.17.2 and was fixed in version 1.17.3.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing a local attacker to crash the Sandboxie service, causing denial of service.
More seriously, it can enable an attacker to execute arbitrary code with SYSTEM-level privileges on the affected system, leading to a full local privilege escalation.
This means an attacker with local access could gain control over the system, bypassing sandbox restrictions and potentially compromising system integrity and security.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for abnormal crashes or instability of the SbieSvc service, which may indicate exploitation attempts. Since the vulnerability involves sending an oversized payload to the Sandboxie service pipe, detection can focus on identifying local processes connecting to the Sandboxie service and sending unusually large or malformed messages.
Specific commands to detect exploitation attempts are not provided in the available resources. However, general approaches include:
- Using Windows Event Viewer or service logs to check for crashes or errors related to SbieSvc.
- Using process monitoring tools (e.g., Sysinternals Process Monitor) to observe local processes interacting with the Sandboxie service.
- Using network or IPC monitoring tools to detect local connections to the Sandboxie service pipe with oversized payloads.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Sandboxie-Plus to version 1.17.3 or later, where this vulnerability has been fixed.
Until the upgrade can be applied, consider restricting local access to the Sandboxie service pipe to trusted users only, as the service pipe is created with a NULL DACL allowing any local interactive process to connect.
Monitoring for suspicious activity targeting the Sandboxie service and limiting local user privileges can also help reduce the risk of exploitation.