CVE-2026-34464

Name of the Vulnerable Software and Affected Versions Sandboxie-Plus versions prior to 1.17.3

Description An issue exists in the NamedPipeServer::OpenHandler function where the server field from NAMED PIPE OPEN REQ is copied into a fixed WCHAR pipename[160] stack buffer using wcscat without verifying null termination. Because the service pipe accepts variable-length messages and only enforces a minimum packet size, a sandboxed caller can fill the server[48] field with non-zero data and append controlled wide characters. This causes wcscat to read past the fixed field and overflow the stack buffer in the SYSTEM service, creating a sandbox escape vector. This may result in a crash of the SbieSvc service or potential code execution with SYSTEM privileges.

Recommendations Update to version 1.17.3.