CVE-2026-34596
Analyzed Analyzed - Analysis Complete
TOCTOU Race Condition in Sandboxie-Plus Addon Installation

Publication date: 2026-05-05

Last updated on: 2026-05-07

Assigner: GitHub, Inc.

Description
Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, a Time-of-Check-to-Time-of-Use (TOCTOU) race condition exists during addon installation. When a user installs an addon through the SandMan interface, UpdUtil.exe is spawned as SYSTEM by SbieSvc but stages files in the user-writable %TEMP%\sandboxie-updater directory. After UpdUtil verifies file hashes against the signed addon manifest, install.bat extracts files.cab and executes config.exe from its contents. Between hash verification and extraction, an unprivileged user can replace files.cab with a crafted cabinet containing a malicious executable, which is then run as SYSTEM. No UAC prompt is required. This issue has been fixed in version 1.17.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-05
Last Modified
2026-05-07
Generated
2026-06-17
AI Q&A
2026-05-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34596
EUVD
EUVD-2026-27468
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sandboxie-plus sandboxie to 1.17.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify how this vulnerability directly affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-34596 is a local privilege escalation vulnerability in Sandboxie-Plus versions 1.17.2 and earlier. It arises from a Time-of-Check-to-Time-of-Use (TOCTOU) race condition during addon installation.

When a user installs an addon via the SandMan interface, a process called UpdUtil.exe is launched with SYSTEM privileges but stages files in a user-writable temporary directory (%TEMP%\sandboxie-updater). After verifying file hashes against the signed addon manifest, UpdUtil.exe extracts and executes files from a cabinet file (files.cab).

Between the hash verification and extraction steps, an unprivileged user can replace the legitimate files.cab with a malicious cabinet containing a harmful executable. This malicious executable is then run with SYSTEM privileges without triggering any User Account Control (UAC) prompt.

Impact Analysis

This vulnerability allows an unprivileged local attacker to escalate their privileges to SYSTEM level on a Windows machine running vulnerable versions of Sandboxie-Plus.

By exploiting the race condition, an attacker can execute arbitrary code with full administrative rights without any user consent or UAC prompt.

This can lead to complete system compromise, unauthorized access to sensitive data, installation of persistent malware, and the ability to bypass security controls.

Detection Guidance

This vulnerability can be detected by monitoring the presence and activity of the UpdUtil.exe process spawned by SbieSvc during addon installation in Sandboxie-Plus versions 1.17.2 and earlier.

Specifically, detection involves checking if UpdUtil.exe is running with SYSTEM privileges and if it is staging files in the user-writable %TEMP%\sandboxie-updater directory.

Commands to help detect this include:

  • Using PowerShell to check for UpdUtil.exe processes: Get-Process -Name UpdUtil
  • Checking the permissions and ownership of the %TEMP%\sandboxie-updater directory to see if it is user-writable and accessible by unprivileged users.
  • Monitoring file changes or replacements in the %TEMP%\sandboxie-updater directory, especially for files.cab.
  • Reviewing logs or using auditing tools to detect if config.exe or other executables are launched from the staging directory with SYSTEM privileges.
Mitigation Strategies

Immediate mitigation steps include upgrading Sandboxie-Plus to version 1.17.3 or later, where this vulnerability has been fixed.

Until the upgrade can be applied, restrict addon installation to administrative users only to prevent unprivileged users from exploiting the TOCTOU race condition.

Additionally, ensure that the staging directory (%TEMP%\sandboxie-updater) is owned by SYSTEM and has strict permissions to prevent unprivileged users from modifying files there.

Re-verifying file hashes before extraction and execution can also help mitigate the risk.

Finally, consider stopping the SbieSvc service if addon installation is not required, to prevent UpdUtil.exe from being spawned.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34596. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart