A series of critical vulnerabilities in Sandboxie and Sandboxie-Plus allows attackers to completely bypass sandbox isolation mechanisms and execute malicious code directly on the host operating system.
Affecting versions 1.17.2 and earlier, these flaws undermine the core purpose of application containerization, granting local attackers maximum SYSTEM-level privileges. Please update to the patched version 1.17.5 immediately.
The most severe flaw, tracked as CVE-2026-34459, is a stack-based buffer overflow residing in the GetRawInputDeviceInfoSlave handler of the SbieSvc proxy service.
Critical Sandboxie Flaws
Researchers found that by sending a specially crafted request, an attacker can force the service to return 32KB of uninitialized stack memory, effectively leaking sensitive data that bypasses Address Space Layout Randomization (ASLR) protections.
By chaining this memory disclosure with an unverified length variable, a sandboxed process can then construct a return-oriented programming (ROP) chain to achieve full SYSTEM privilege escalation.
Critically, this exploit chain works even against Security Hardened Sandbox configurations, rendering one of the platform’s most trusted protection modes ineffective.
A second critical vulnerability, CVE-2026-34458, allows an unprivileged local user to bypass configuration restrictions, including EditAdminOnly protections, and inject arbitrary directives into the global Sandboxie settings file.
The vulnerability exists because the background service fails to sanitize carriage return and line feed (CRLF) characters during certain messaging operations.
An attacker exploiting this flaw can silently inject a new sandbox section header with fully unrestricted permissions, establishing a highly reliable secondary pathway to escape the sandbox environment and achieve complete system compromise.
The ease of exploitation makes this vulnerability particularly concerning for multi-user environments and enterprise deployments.
Researchers also identified CVE-2026-32603, a local denial-of-service vulnerability that causes a malformed IOCTL request sent to the Sandboxie driver to immediately trigger a kernel crash and a system blue screen of death (BSOD).
While it does not enable code execution, this flaw poses a significant availability risk in production environments.
Additionally, CVE-2026-34527 exposes a cryptographic implementation error that effectively reduces the entropy of stored passwords from 160 bits to 80 bits.
This hashing degradation makes any leaked or backed-up Sandboxie passwords highly vulnerable to brute-force attacks, significantly weakening the platform’s overall security posture and the confidentiality of sandboxed credential storage.
Patch and Mitigation
The Sandboxie development team addressed these vulnerabilities beginning with the 1.17.3 release and continued refining mitigations through the newly released version 1.17.5, available on the official GitHub repository.
The key commit (c179b64) for version 1.17.5 deploys the critical security patches and also resolves a regression that prevented users from renaming sandboxes under the strict new configuration validation rules.
System administrators should follow this upgrade path to minimize risk:
- Uninstall the vulnerable Sandboxie or Sandboxie-Plus version while preserving the existing configuration file
- Download and install the patched version 1.17.5 build from the official GitHub releases page
- Verify the configuration file integrity after installation to ensure no malicious directives were injected before patching.
- Audit any systems where Sandboxie was deployed in multi-user or enterprise settings for signs of exploitation.
Organizations relying on Sandboxie for application isolation in security-sensitive workflows should treat this update as a priority remediation given the SYSTEM-level impact of the chained exploit scenarios.
No Comment! Be the first one.