Vulnerabilities ›

CVE-2026-32603

Medium ⚡ Exploit Available

CWE-20 — Weakness Type

                    Published: May 5, 2026                      ·  Modified: May 8, 2026                      ·  Source: NVD                

CVSS v3

6.5

🔗 NVD Official

📄 Description (English)

Sandboxie is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, a local denial of service vulnerability exists in the Sandboxie kernel driver. An unprivileged process running inside a Standard Sandbox can send a malformed IOCTL to the \Device\SandboxieDriverApi driver, triggering an immediate kernel crash (BSOD). The vulnerability affects the Standard Sandbox configuration both with and without dropped administrator privileges, but does not affect the Security Hardened Sandbox configuration. This issue has been fixed in version 1.17.3. Users who cannot update can use the Security Hardened Sandbox configuration as a workaround.

🤖 AI Executive Summary

CVE-2026-32603 is a local denial of service vulnerability in Sandboxie kernel driver (versions ≤1.17.2) allowing unprivileged processes to crash the Windows kernel via malformed IOCTL commands. With exploit code publicly available and affecting Standard Sandbox configurations widely used in Saudi organizations, this poses immediate operational disruption risks. Patching to version 1.17.3 or switching to Security Hardened Sandbox configuration is critical for continuity.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 13, 2026 04:56

🇸🇦 Saudi Arabia Impact Assessment

Saudi government agencies, financial institutions (SAMA-regulated banks), and critical infrastructure operators using Sandboxie for malware analysis and application isolation face immediate operational disruption. Government cybersecurity centers (NCA) conducting threat analysis, banking sector SOCs performing malware sandboxing, and energy sector (ARAMCO, SEC) security teams are particularly vulnerable. The availability of working exploits increases risk of coordinated DoS attacks targeting security operations. Organizations relying on Sandboxie for compliance testing and isolated development environments will experience service interruptions.

🏢 Affected Saudi Sectors

Government (NCA, security agencies) Banking (SAMA-regulated institutions) Energy (ARAMCO, SEC) Telecommunications (STC, Mobily) Healthcare (MOH) Critical Infrastructure Cybersecurity Operations Centers

🎯 MITRE ATT&CK Techniques

T1499 - Endpoint Denial of Service T1499.004 - Application Exhaustion Flood T1561 - Disk Wipe T1529 - System Shutdown/Reboot

⚖️ Saudi Risk Score (AI)

7.2

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Inventory all systems running Sandboxie versions ≤1.17.2 across your organization

2. Restrict IOCTL access to \Device\SandboxieDriverApi to trusted processes only via Windows Device Access Control Lists

3. Disable Standard Sandbox configurations and migrate to Security Hardened Sandbox immediately as interim mitigation

4. Monitor kernel event logs (Event ID 41 - kernel-power) for unexpected system crashes



PATCHING:

1. Upgrade Sandboxie to version 1.17.3 or later immediately upon release

2. Test patches in isolated lab environment before production deployment

3. Coordinate patching with security operations to minimize downtime



COMPENSATING CONTROLS:

1. Implement application whitelisting to prevent untrusted processes from executing within sandboxes

2. Deploy kernel patch protection (Windows Defender Exploit Guard - Kernel Exploit Protection)

3. Use Windows Sandbox or Hyper-V isolated containers as alternative isolation mechanisms

4. Enable Enhanced Mitigation Experience Toolkit (EMET) on systems running Sandboxie

5. Implement strict process execution policies via AppLocker or Windows Defender Application Control



DETECTION:

1. Monitor for IOCTL calls to \Device\SandboxieDriverApi with malformed parameters

2. Alert on unexpected kernel crashes (BSOD) from processes running in Standard Sandbox

3. Track Sandboxie version inventory and flag systems not yet patched

4. Monitor for Security Hardened Sandbox configuration changes

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. حصر جميع الأنظمة التي تقوم بتشغيل إصدارات Sandboxie ≤1.17.2 عبر مؤسستك

2. تقييد وصول IOCTL إلى \Device\SandboxieDriverApi للعمليات الموثوقة فقط عبر قوائم التحكم في وصول أجهزة Windows

3. تعطيل تكوينات Standard Sandbox والهجرة إلى Security Hardened Sandbox فوراً كتخفيف مؤقت

4. مراقبة سجلات أحداث النواة (معرف الحدث 41 - kernel-power) للأعطال غير المتوقعة

التصحيح:

1. ترقية Sandboxie إلى الإصدار 1.17.3 أو أحدث فوراً عند الإصدار

2. اختبار التصحيحات في بيئة معملية معزولة قبل نشر الإنتاج

3. تنسيق التصحيح مع عمليات الأمان لتقليل وقت التوقف

الضوابط البديلة:

1. تنفيذ قائمة بيضاء للتطبيقات لمنع العمليات غير الموثوقة من التنفيذ داخل الصناديق الرملية

2. نشر حماية التصحيح النواة (Windows Defender Exploit Guard - Kernel Exploit Protection)

3. استخدام Windows Sandbox أو حاويات معزولة بـ Hyper-V كآليات عزل بديلة

4. تفعيل Enhanced Mitigation Experience Toolkit (EMET) على الأنظمة التي تقوم بتشغيل Sandboxie

5. تنفيذ سياسات تنفيذ العمليات الصارمة عبر AppLocker أو Windows Defender Application Control

الكشف:

1. مراقبة استدعاءات IOCTL إلى \Device\SandboxieDriverApi بمعاملات معيبة

2. التنبيه على أعطال النواة غير المتوقعة (BSOD) من العمليات التي تعمل في Standard Sandbox

3. تتبع جرد إصدار Sandboxie والإشارة إلى الأنظمة التي لم يتم تصحيحها بعد

4. مراقبة تغييرات تكوين Security Hardened Sandbox

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.12.6.1 - Management of technical vulnerabilities ECC 2024 A.12.2.1 - Change management procedures ECC 2024 A.12.3.1 - Segregation of development, test and production environments

🔵 SAMA CSF

SAMA CSF ID.RA-1 - Asset management and vulnerability identification SAMA CSF PR.IP-12 - System and information integrity SAMA CSF DE.CM-8 - Malware detection and prevention

🟡 ISO 27001:2022

ISO 27001:2022 A.12.3.1 - Change management ISO 27001:2022 A.12.6.1 - Management of technical vulnerabilities ISO 27001:2022 A.14.2.1 - Secure development policy

🟣 PCI DSS v4.0.1

PCI DSS 6.2 - Security patches and updates PCI DSS 11.2 - Vulnerability scanning and remediation

🔗 References & Sources 3

🔗

https://github.com/sandboxie-plus/Sandboxie/releases/tag/v1.17.3

security-advisories@github.com

Release Notes

🔗

https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-vvf8-cf4j-v8fv

security-advisories@github.com

Exploit Vendor Advisory

🔗

https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-vvf8-cf4j-v8fv

134c704f-9b21-4f2e-91b3-4a467353bcc0

Exploit Vendor Advisory

📦 Affected Products / CPE 1 entries

sandboxie-plus:sandboxie

📊 CVSS Score

6.5

/ 10.0 — Medium

📊 CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

Attack VectorL — Low / Local

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeC — Changed

ConfidentialityN — None / Network

IntegrityN — None / Network

AvailabilityH — High

📋 Quick Facts

Severity Medium

CVSS Score6.5

CWECWE-20

EPSS0.02%

Exploit ✓ Yes

Patch ✗ No

Published 2026-05-05

Source Feed nvd

🇸🇦 Saudi Risk Score

7.2

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

exploit-available CWE-20

🏢 Vendor Advisories

🔗 https://github.com/sandboxie-plus/Sandboxie/security... 🔗 https://github.com/sandboxie-plus/Sandboxie/security...

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2026-32603

Introduce Yourself

Sign In Required