Buffer Overflow Vulnerability in Sandboxie-Plus Affects Windows Isolation Software
CVE-2026-34464

8.8HIGH

Key Information:

Vendor: Sandboxie-plus
Status: Sandboxie
Vendor: CVE Published:; 5 May 2026

🔔 Create Sandboxie-plus Vulnerability Alert

What is CVE-2026-34464?

Sandboxie-Plus, an open-source sandboxing solution for Windows, contains a buffer overflow vulnerability in its NamedPipeServer::OpenHandler function. Specifically, versions 1.17.2 and earlier fail to properly verify null termination when copying data from NAMED_PIPE_OPEN_REQ to a fixed stack buffer. This oversight allows sandboxed callers to exploit the vulnerability by sending variable-length messages, leading to potential system service crashes or even arbitrary code execution with SYSTEM privileges. The issue has been resolved in version 1.17.3. Users are encouraged to upgrade to this version to mitigate any risks associated with this vulnerability.

Affected Version(s)

Sandboxie < 1.17.3

References

https://github.com/sandboxie-plus/Sandboxie/security/advi...

x_refsource_CONFIRM

CVSS V4

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 5, 2026
Vulnerability Reserved
Mar 27, 2026

CVE-2026-34464 Data

JSON