Heap Overflow Vulnerability in Sandboxie Isolation Software by Sandboxie Plus
CVE-2025-64721

9.9CRITICAL

Key Information:

Vendor

Sandboxie-plus

Status
Sandboxie
Vendor
CVE Published:
11 December 2025

What is CVE-2025-64721?

The vulnerability in Sandboxie affects versions 1.16.6 and earlier, where the SYSTEM-level service SbieSvc.exe improperly handles user-controlled values in the SbieIniServer::RC4Crypt method. This oversight allows sandboxed processes to create a heap overflow by manipulating buffer sizes, thereby executing arbitrary code at the SYSTEM level. This serious flaw compromises the security of the host system, allowing attackers to bypass the isolation that the software is intended to provide. The issue has been remediated in version 1.16.7.

Affected Version(s)

Sandboxie < 1.16.7

References

https://github.com/sandboxie-plus/Sandboxie/security/advi...
x_refsource_CONFIRM
https://github.com/sandboxie-plus/Sandboxie/commit/000492...
x_refsource_MISC
https://github.com/sandboxie-plus/Sandboxie/releases/tag/...
x_refsource_MISC

CVSS V4

Score:
9.9
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-64721 : Heap Overflow Vulnerability in Sandboxie Isolation Software by Sandboxie Plus