CVE-2026-34462

Name of the Vulnerable Software and Affected Versions Sandboxie-Plus versions prior to 1.17.3

Description Several ProcessServer handlers, specifically KillAllHandler(), SuspendAllHandler(), and RunSandboxedHandler(), copy a boxname field from request structures into stack buffers using wcscpy without verifying null termination. Since the service pipe accepts variable-length packets larger than the request structure, a local attacker can fill the boxname field with non-zero data and append controlled wide characters to overflow the destination stack buffer. The service pipe is created with a NULL DACL (Discretionary Access Control List), which is a security descriptor that allows any local process to connect, and the unsafe copy occurs before authorization checks. This can result in a crash of the SbieSvc service or potential code execution with SYSTEM privileges.

Recommendations Update to version 1.17.3.