CVE-2025-64721

Name of the Vulnerable Software and Affected Versions Sandboxie versions 1.16.6 and below

Description Sandboxie is a sandbox-based isolation software for 32-bit and 64-bit Windows NT-based operating systems. The SYSTEM-level service SbieSvc.exe exposes the SbieIniServer::RC4Crypt function to sandboxed processes. This function adds a fixed header size to a caller-controlled value len without performing adequate overflow checks. Providing a large value len (for example, 0xFFFFFFF0) causes the allocation size to wrap around, resulting in a heap overflow when attacker-controlled data is copied into a buffer that is too small. Successful exploitation allows sandboxed processes to execute arbitrary code with SYSTEM privileges, leading to full host compromise.

Recommendations Update Sandboxie to version 1.16.7 or later.