Sandboxie-Plus sandbox escape via uninitialized memory leak and stack overflow...

8.8 / 10

HIGH

CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Description

Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, the SbieSvc proxy service's GetRawInputDeviceInfoSlave handler contains two vulnerabilities that can be chained for sandbox escape. First, when a sandboxed process sends an IPC request with cbSize set to 0, up to 32KB of uninitialized stack memory from the service process is returned, leaking return addresses and stack cookies which bypass ASLR and /GS protections. Second, the handler performs a memcpy with an attacker-controlled length without verifying it fits within the 32KB stack buffer, enabling a stack buffer overflow. By chaining the information leak with the overflow, a sandboxed process can execute a ROP chain to achieve SYSTEM privilege escalation, even from a Security Hardened Sandbox. Hardware-enforced shadow stacks (Intel CET) prevent the ROP chain execution but do not mitigate the information leak. This issue has been fixed in version 1.17.3.

AI Analysis

Sandbox escape via uninitialized memory leak and stack overflow in GetRawInputDeviceInfoSlave handler

Basic Information

ID CVE-2026-34459

Source GitHub_M

Published May 5, 2026 at 19:27

Affected Product

Vendor sandboxie-plus

Product Sandboxie

Version < 1.17.3

Affected Versions sandboxie-plus Sandboxie < 1.17.3

CWE Classification

CWE-121

AI Assessment

AI Score 8.8 / 10

AI Severity High

Vendor Sandboxie-Plus

Product Sandboxie

Version 1.17.2 and earlier

References

github.com /sandboxie-plus/Sandboxie/security/advisories/GHSA-7cpc-5hv7-rfmh

{
    "lastseen": "",
    "description": "Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, the SbieSvc proxy service's GetRawInputDeviceInfoSlave handler contains two vulnerabilities that can be chained for sandbox escape. First, when a sandboxed process sends an IPC request with cbSize set to 0, up to 32KB of uninitialized stack memory from the service process is returned, leaking return addresses and stack cookies which bypass ASLR and /GS protections. Second, the handler performs a memcpy with an attacker-controlled length without verifying it fits within the 32KB stack buffer, enabling a stack buffer overflow. By chaining the information leak with the overflow, a sandboxed process can execute a ROP chain to achieve SYSTEM privilege escalation, even from a Security Hardened Sandbox. Hardware-enforced shadow stacks (Intel CET) prevent the ROP chain execution but do not mitigate the information leak. This issue has been fixed in version 1.17.3.",
    "published": "2026-05-05T19:27:31.552Z",
    "modified": "2026-05-05T19:27:31.552Z",
    "type": "cve",
    "title": "Sandboxie-Plus sandbox escape via uninitialized memory leak and stack overflow in GetRawInputDeviceInfoSlave",
    "source": "GitHub_M",
    "references": "https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-7cpc-5hv7-rfmh",
    "id": "CVE-2026-34459",
    "bulletinFamily": "",
    "cwe": [
        "CWE-121"
    ],
    "cvelist": null,
    "sourceData": "sandboxie-plus Sandboxie < 1.17.3",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Sandboxie",
    "version": "< 1.17.3",
    "vendor": "sandboxie-plus",
    "ai_description": "Sandbox escape via uninitialized memory leak and stack overflow in GetRawInputDeviceInfoSlave handler",
    "ai_severity": "High",
    "ai_vendor": "Sandboxie-Plus",
    "ai_product": "Sandboxie",
    "ai_version": "1.17.2 and earlier",
    "ai_score": 8.8
}

Sandboxie-Plus sandbox escape via uninitialized memory leak and stack overflow in GetRawInputDeviceInfoSlave_CVE-2026-34459