CVE-2026-34459

Name of the Vulnerable Software and Affected Versions Sandboxie-Plus versions prior to 1.17.3

Description The SbieSvc proxy service's GetRawInputDeviceInfoSlave() handler contains an information leak and a stack buffer overflow. An information leak occurs when a sandboxed process sends an IPC request with cbSize set to 0, causing up to 32KB of uninitialized stack memory to be returned. This leaks return addresses and stack cookies, bypassing Address Space Layout Randomization (ASLR) and /GS protections. Additionally, the handler performs a memcpy operation using an attacker-controlled length without verifying if it fits within the 32KB stack buffer. By chaining these issues, a sandboxed process can execute a Return-Oriented Programming (ROP) chain—a technique that strings together small pieces of existing executable code—to achieve SYSTEM privilege escalation, even from a Security Hardened Sandbox. Hardware-enforced shadow stacks (Intel CET) prevent the ROP chain execution but do not stop the information leak.

Recommendations Update to version 1.17.3.