Vulnerabilities ›

CVE-2026-34596

High ⚡ Exploit Available

CWE-367 — Weakness Type

                    Published: May 5, 2026                      ·  Modified: May 12, 2026                      ·  Source: NVD                

CVSS v3

7.0

🔗 NVD Official

📄 Description (English)

Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, a Time-of-Check-to-Time-of-Use (TOCTOU) race condition exists during addon installation. When a user installs an addon through the SandMan interface, UpdUtil.exe is spawned as SYSTEM by SbieSvc but stages files in the user-writable %TEMP%\sandboxie-updater directory. After UpdUtil verifies file hashes against the signed addon manifest, install.bat extracts files.cab and executes config.exe from its contents. Between hash verification and extraction, an unprivileged user can replace files.cab with a crafted cabinet containing a malicious executable, which is then run as SYSTEM. No UAC prompt is required.

This issue has been fixed in version 1.17.3.

🤖 AI Executive Summary

CVE-2026-34596 is a critical privilege escalation vulnerability in Sandboxie-Plus versions 1.17.2 and earlier exploiting a TOCTOU race condition during addon installation. An unprivileged attacker can replace staged addon files between hash verification and extraction to execute arbitrary code as SYSTEM without UAC prompts. With exploit code publicly available, this poses immediate risk to organizations using Sandboxie for application isolation and malware analysis.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 10, 2026 12:48

🇸🇦 Saudi Arabia Impact Assessment

Saudi government agencies (NCA, NCSC), financial institutions (SAMA-regulated banks), and cybersecurity firms using Sandboxie for malware analysis and application sandboxing face direct privilege escalation risks. Critical impact for: (1) Government cybersecurity operations and incident response teams relying on Sandboxie for threat analysis; (2) Banking sector security labs conducting malware research; (3) Telecom operators (STC, Mobily) using sandbox environments for security testing; (4) Healthcare organizations using Sandboxie for legacy application isolation. Attackers gaining SYSTEM access can bypass sandbox protections entirely, compromising analysis integrity and enabling lateral movement.

🏢 Affected Saudi Sectors

Government (NCA, NCSC, cybersecurity operations) Banking (SAMA-regulated institutions, security labs) Cybersecurity (threat analysis, malware research firms) Telecommunications (STC, Mobily security testing) Healthcare (legacy application isolation) Energy (ARAMCO security operations)

🎯 MITRE ATT&CK Techniques

T1548.002 - Abuse Elevation Control Mechanism (UAC bypass via SYSTEM execution) T1036.005 - Masquerading (file replacement in staging directory) T1036.006 - Match Legitimate Name or Location (cabinet file substitution) T1574.001 - Hijack Execution Flow (DLL/file replacement during installation) T1547.001 - Boot or Logon Autostart Execution (persistence via addon installation) T1059.003 - Command and Scripting Interpreter (batch file execution as SYSTEM)

⚖️ Saudi Risk Score (AI)

8.2

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Upgrade Sandboxie-Plus to version 1.17.3 or later immediately

2. Disable addon installation functionality until patching is complete

3. Restrict user permissions on %TEMP%\sandboxie-updater directory to SYSTEM-only access

4. Audit all recently installed addons for integrity



PATCHING GUIDANCE:

- Deploy version 1.17.3+ through centralized patch management

- Verify digital signatures on all Sandboxie binaries post-update

- Test addon functionality in non-production environment first



COMPENSATING CONTROLS (if immediate patching delayed):

- Disable addon installation via Group Policy or configuration lockdown

- Monitor %TEMP%\sandboxie-updater for unauthorized file modifications

- Implement file integrity monitoring (FIM) on addon staging directories

- Restrict Sandboxie service to run under dedicated low-privilege account where possible



DETECTION RULES:

- Alert on UpdUtil.exe spawning with SYSTEM privileges

- Monitor for file replacements in %TEMP%\sandboxie-updater between hash verification and extraction

- Track config.exe execution from non-standard paths

- Log all addon installation attempts with source validation

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. ترقية Sandboxie-Plus إلى الإصدار 1.17.3 أو أحدث فوراً

2. تعطيل وظيفة تثبيت الإضافات حتى اكتمال التصحيح

3. تقييد أذونات المستخدم على دليل %TEMP%\sandboxie-updater للوصول من SYSTEM فقط

4. تدقيق جميع الإضافات المثبتة مؤخراً للتحقق من السلامة



إرشادات التصحيح:

- نشر الإصدار 1.17.3+ من خلال إدارة التصحيحات المركزية

- التحقق من التوقيعات الرقمية على جميع ملفات Sandboxie الثنائية بعد التحديث

- اختبار وظيفة الإضافات في بيئة غير الإنتاج أولاً



الضوابط البديلة (إذا تأخر التصحيح الفوري):

- تعطيل تثبيت الإضافات عبر Group Policy أو قفل التكوين

- مراقبة %TEMP%\sandboxie-updater للتعديلات غير المصرح بها

- تنفيذ مراقبة سلامة الملفات (FIM) على أدلة تجميع الإضافات

- تقييد خدمة Sandboxie للتشغيل تحت حساب منخفض الامتيازات مخصص حيث أمكن



قواعد الكشف:

- تنبيه عند ظهور UpdUtil.exe مع امتيازات SYSTEM

- مراقبة استبدال الملفات في %TEMP%\sandboxie-updater بين التحقق من التجزئة والاستخراج

- تتبع تنفيذ config.exe من مسارات غير قياسية

- تسجيل جميع محاولات تثبيت الإضافات مع التحقق من المصدر

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.5.1.1 - Access Control Policies (privilege escalation prevention) ECC 2024 A.12.2.1 - Change Management (addon installation controls) ECC 2024 A.12.6.1 - Management of Technical Vulnerabilities (patch management) ECC 2024 A.14.2.1 - Secure Development (secure coding practices for sandbox software)

🔵 SAMA CSF

SAMA CSF ID.AM-2 - Asset Management (inventory Sandboxie deployments) SAMA CSF PR.AC-1 - Access Control (privilege escalation prevention) SAMA CSF PR.PT-2 - Protection Processes (patch management and vulnerability remediation) SAMA CSF DE.CM-1 - Detection and Analysis (monitoring addon installation activities)

🟡 ISO 27001:2022

ISO 27001:2022 A.5.15 - Access Control (privilege management) ISO 27001:2022 A.8.1 - Cryptography (hash verification integrity) ISO 27001:2022 A.12.3.1 - Change Management (addon installation procedures) ISO 27001:2022 A.12.6.1 - Management of Technical Vulnerabilities (patch deployment)

🟣 PCI DSS v4.0.1

PCI DSS 6.2 - Security patches and updates (timely patching requirement) PCI DSS 7.1 - Least Privilege (SYSTEM privilege escalation prevention) PCI DSS 11.2 - Vulnerability Scanning (detection of unpatched systems)

🔗 References & Sources 2

🔗

https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-xjvp-63f2-v585

security-advisories@github.com

Exploit Vendor Advisory

🔗

https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-xjvp-63f2-v585

134c704f-9b21-4f2e-91b3-4a467353bcc0

Exploit Vendor Advisory

📦 Affected Products / CPE 1 entries

sandboxie-plus:sandboxie

📊 CVSS Score

7.0

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack VectorL — Low / Local

Attack ComplexityH — High

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityH — High

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score7.0

CWECWE-367

EPSS0.01%

Exploit ✓ Yes

Patch ✗ No

Published 2026-05-05

Source Feed nvd

🇸🇦 Saudi Risk Score

8.2

/ 10.0 — Saudi Risk

Priority: CRITICAL

🏷️ Tags

exploit-available CWE-367

🏢 Vendor Advisories

🔗 https://github.com/sandboxie-plus/Sandboxie/security... 🔗 https://github.com/sandboxie-plus/Sandboxie/security...

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-34596

💬 Comments

Introduce Yourself

Sign In Required