TOCTOU Race Condition in Sandboxie-Plus Affects Windows Systems
CVE-2026-34596

5.4MEDIUM

Key Information:

Vendor: Sandboxie-plus
Status: Sandboxie
Vendor: CVE Published:; 5 May 2026

🔔 Create Sandboxie-plus Vulnerability Alert

What is CVE-2026-34596?

Sandboxie-Plus, a popular open-source software for Windows, is affected by a TOCTOU (Time-of-Check-to-Time-of-Use) race condition during the installation of addons. In versions 1.17.2 and earlier, this vulnerability arises when an addon is installed via the SandMan interface. The UpdUtil.exe process is spawned with SYSTEM privileges but utilizes the user-writable %TEMP% directory to stage files. If an unprivileged user can replace a legitimate files.cab with a crafted version before the hash verification process is completed, they may execute malicious code with SYSTEM privileges, bypassing standard security checks such as UAC prompts. This serious flaw compromises the integrity of the installation process and can lead to elevated unauthorized access to the system. The issue has been resolved in version 1.17.3. For more details, refer to the advisory on the official GitHub page.

Affected Version(s)

Sandboxie < 1.17.3

References

https://github.com/sandboxie-plus/Sandboxie/security/advi...

x_refsource_CONFIRM

CVSS V4

Score:

5.4

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 5, 2026
Vulnerability Reserved
Mar 30, 2026

CVE-2026-34596 Data

JSON