CVE-2026-34458

Name of the Vulnerable Software and Affected Versions Sandboxie-Plus versions prior to 1.17.3

Description An INI injection issue allows a standard local user to bypass configuration restrictions, specifically EditAdminOnly and ConfigPassword, to inject arbitrary directives into the global Sandboxie.ini configuration file. The background service fails to perform authorization checks for IPC (Inter-Process Communication) messages targeting sections starting with UserSettings and does not sanitize CRLF (Carriage Return Line Feed) characters in the value parameter via MSGID SBIE INI ADD SETTING or the setting name parameter via MSGID SBIE INI SET SETTING. This allows an attacker to inject a new sandbox section header with unrestricted permissions, leading to sandbox escape and SYSTEM privilege escalation.

Recommendations Update to version 1.17.3.