Sandbox Escape Vulnerability in Sandboxie-Plus by Sandboxie-Plus
CVE-2026-34459

8.8HIGH

Key Information:

Vendor: Sandboxie-plus
Status: Sandboxie
Vendor: CVE Published:; 5 May 2026

🔔 Create Sandboxie-plus Vulnerability Alert

What is CVE-2026-34459?

Sandboxie-Plus, an open-source sandbox-based isolation software for Windows, has vulnerabilities in the SbieSvc proxy service. In versions 1.17.2 and earlier, improper handling of IPC requests can lead to significant security risks. An attacker can exploit an information leak through uninitialized stack memory, which returns sensitive data such as return addresses and stack cookies, effectively bypassing ASLR and /GS protections. Additionally, a stack buffer overflow can occur due to a memcpy operation that does not properly validate the length of the data being copied. When chained together, these vulnerabilities allow a sandboxed process to execute a Return-Oriented Programming (ROP) chain, resulting in a potential SYSTEM privilege escalation. Although the Intel CET feature limits ROP execution, it does not address the initial information leak. This vulnerability has been resolved in version 1.17.3.

Affected Version(s)

Sandboxie < 1.17.3

References

https://github.com/sandboxie-plus/Sandboxie/security/advi...

x_refsource_CONFIRM

CVSS V4

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 5, 2026
Vulnerability Reserved
Mar 27, 2026

CVE-2026-34459 Data

JSON