CVE-2026-34462
Analyzed Analyzed - Analysis Complete
Buffer Overflow in Sandboxie-Plus ProcessServer Handlers

Publication date: 2026-05-05

Last updated on: 2026-05-07

Assigner: GitHub, Inc.

Description
Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, several ProcessServer handlers (KillAllHandler, SuspendAllHandler, and RunSandboxedHandler) copy a WCHAR boxname[34] field from request structures into WCHAR[40] stack buffers using wcscpy without verifying null termination. Because the service pipe accepts variable-length packets larger than the request structure, an attacker can fill the boxname field with non-zero data and append additional controlled wide characters after the structure. wcscpy then reads past the fixed field and overflows the destination stack buffer. The service pipe is created with a NULL DACL, allowing any local process to connect, and the unsafe copy occurs before authorization checks. This can lead to a crash of the SbieSvc service or potential code execution as SYSTEM. This issue has been fixed in version 1.17.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-05
Last Modified
2026-05-07
Generated
2026-06-16
AI Q&A
2026-05-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34462
EUVD
EUVD-2026-27462
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sandboxie-plus sandboxie to 1.17.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-170 The product does not terminate or incorrectly terminates a string or array with a null character or equivalent terminator.
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-34462 is a high-severity stack-based buffer overflow vulnerability in Sandboxie-Plus, an open source sandboxing software for Windows. The issue occurs in the ProcessServer component, specifically in handlers like KillAllHandler, SuspendAllHandler, and RunSandboxedHandler. These handlers copy a fixed-length WCHAR boxname field from request structures into larger stack buffers using wcscpy without verifying null termination.

Because the service pipe accepts variable-length packets larger than the request structure, an attacker can send a specially crafted packet that fills the boxname field with non-terminated data and appends additional controlled wide characters. This causes wcscpy to read beyond the intended buffer and overflow the destination stack buffer.

The service pipe is created with a NULL DACL, allowing any local process to connect, and the unsafe copy happens before authorization checks. This can lead to a crash of the SbieSvc service or potentially allow code execution with SYSTEM privileges.

Impact Analysis

This vulnerability can have serious impacts including causing the Sandboxie-Plus service (SbieSvc) to crash, leading to denial of service.

More critically, it can allow a local attacker to execute arbitrary code with SYSTEM privileges, effectively escalating their privileges from an unprivileged local process to full system control.

Detection Guidance

This vulnerability involves a stack-based buffer overflow in the Sandboxie-Plus ProcessServer handlers that accept variable-length packets on a service pipe with a NULL DACL, allowing any local process to connect. Detection would involve monitoring or inspecting local process interactions with the SbieSvc service pipe for abnormal or oversized packets targeting the boxname field.

Since the vulnerability is local and involves specific handlers (KillAllHandler, SuspendAllHandler, RunSandboxedHandler) processing crafted requests, detection commands could include checking for unusual or crashing behavior of the SbieSvc service or monitoring local IPC (inter-process communication) traffic to the Sandboxie-Plus service pipe.

However, no specific detection commands or network signatures are provided in the available information.

Mitigation Strategies

The vulnerability has been fixed in Sandboxie-Plus version 1.17.3. The immediate mitigation step is to upgrade Sandboxie-Plus to version 1.17.3 or later.

Additional mitigation involves restricting local access to the SbieSvc service pipe to prevent untrusted local processes from connecting, as the service pipe is created with a NULL DACL allowing any local process to connect.

Until the update is applied, monitoring for crashes or suspicious activity related to the SbieSvc service may help identify exploitation attempts.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34462. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart