CVE-2026-34464
Analyzed Analyzed - Analysis Complete
Stack Buffer Overflow in Sandboxie-Plus

Publication date: 2026-05-05

Last updated on: 2026-05-07

Assigner: GitHub, Inc.

Description
Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, NamedPipeServer::OpenHandler copies the server field from NAMED_PIPE_OPEN_REQ into a fixed WCHAR pipename[160] stack buffer using wcscat without verifying null termination. The handler only enforces a minimum packet size, and since the service pipe accepts variable-length messages, a sandboxed caller can fill the server[48] field with non-zero data and append additional controlled wide characters after the structure. wcscat then reads past the fixed field and overflows the stack buffer in the SYSTEM service. This message is restricted to sandboxed callers, making it a sandbox escape vector. This can lead to a crash of the SbieSvc service or potential code execution as SYSTEM. This issue has been fixed in version 1.17.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-05
Last Modified
2026-05-07
Generated
2026-06-16
AI Q&A
2026-05-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34464
EUVD
EUVD-2026-27464
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sandboxie-plus sandboxie to 1.17.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-170 The product does not terminate or incorrectly terminates a string or array with a null character or equivalent terminator.
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-34464 is a high-severity stack-based buffer overflow vulnerability in Sandboxie-Plus, a sandboxing software for Windows. The issue occurs in the NamedPipeServer::OpenHandler function, which copies a server field from a message structure into a fixed-size stack buffer without properly verifying null termination or length. This allows a sandboxed attacker to send a specially crafted message with an oversized server field, causing the buffer to overflow.

Because the service pipe accepts variable-length messages and only enforces a minimum packet size, an attacker can append controlled data beyond the expected field size. This leads to a stack buffer overflow in the SYSTEM service, which can cause the service to crash or potentially allow the attacker to execute arbitrary code with SYSTEM privileges.

This vulnerability effectively allows a sandbox escape, meaning code running in a restricted sandbox environment can break out and gain higher privileges on the system.

Impact Analysis

This vulnerability can have serious impacts including crashing the Sandboxie service or enabling an attacker to execute arbitrary code with SYSTEM-level privileges.

Since the vulnerability allows sandbox escape, an attacker who is initially confined to a restricted environment can break out and gain full control over the system, potentially leading to local privilege escalation.

  • Service crashes causing denial of service.
  • Arbitrary code execution as SYSTEM user.
  • Sandbox escape allowing attackers to bypass security restrictions.
  • Local privilege escalation on affected systems.
Detection Guidance

This vulnerability involves a stack-based buffer overflow in the Sandboxie LPC/ALPC service port, which is exposed with a NULL DACL and can be triggered by sending a malformed MSGID_NAMED_PIPE_OPEN message with an oversized server field.

Detection would involve monitoring or attempting to send crafted messages to the Sandboxie LPC/ALPC service port to identify if the service crashes or behaves unexpectedly.

Specific commands or tools to detect this vulnerability are not provided in the available resources.

Mitigation Strategies

The vulnerability has been fixed in Sandboxie-Plus version 1.17.3.

Immediate mitigation steps include upgrading Sandboxie-Plus to version 1.17.3 or later.

Additional recommended fixes involve validating message sizes, enforcing explicit null terminators, using bounded string operations, and checking combined path lengths before construction.

Compliance Impact

The provided information does not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34464. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart