📄 الوصف (الإنجليزية)
Sandboxie is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, a local denial of service vulnerability exists in the Sandboxie kernel driver. An unprivileged process running inside a Standard Sandbox can send a malformed IOCTL to the \Device\SandboxieDriverApi driver, triggering an immediate kernel crash (BSOD). The vulnerability affects the Standard Sandbox configuration both with and without dropped administrator privileges, but does not affect the Security Hardened Sandbox configuration. This issue has been fixed in version 1.17.3. Users who cannot update can use the Security Hardened Sandbox configuration as a workaround.
🤖 ملخص AI
CVE-2026-32603 is a local denial of service vulnerability in Sandboxie kernel driver (versions ≤1.17.2) allowing unprivileged processes to crash the Windows kernel via malformed IOCTL commands. With exploit code publicly available and affecting Standard Sandbox configurations widely used in Saudi organizations, this poses immediate operational disruption risks. Patching to version 1.17.3 or switching to Security Hardened Sandbox configuration is critical for continuity.
📄 الوصف (العربية)
🤖 التحليل الذكي آخر تحليل: May 13, 2026 04:56
🇸🇦 التأثير على المملكة العربية السعودية
Saudi government agencies, financial institutions (SAMA-regulated banks), and critical infrastructure operators using Sandboxie for malware analysis and application isolation face immediate operational disruption. Government cybersecurity centers (NCA) conducting threat analysis, banking sector SOCs performing malware sandboxing, and energy sector (ARAMCO, SEC) security teams are particularly vulnerable. The availability of working exploits increases risk of coordinated DoS attacks targeting security operations. Organizations relying on Sandboxie for compliance testing and isolated development environments will experience service interruptions.
🏢 القطاعات السعودية المتأثرة
Government (NCA, security agencies)
Banking (SAMA-regulated institutions)
Energy (ARAMCO, SEC)
Telecommunications (STC, Mobily)
Healthcare (MOH)
Critical Infrastructure
Cybersecurity Operations Centers
🎯 تقنيات MITRE ATT&CK
⚖️ درجة المخاطر السعودية (AI)
7.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Inventory all systems running Sandboxie versions ≤1.17.2 across your organization
2. Restrict IOCTL access to \Device\SandboxieDriverApi to trusted processes only via Windows Device Access Control Lists
3. Disable Standard Sandbox configurations and migrate to Security Hardened Sandbox immediately as interim mitigation
4. Monitor kernel event logs (Event ID 41 - kernel-power) for unexpected system crashes
PATCHING:
1. Upgrade Sandboxie to version 1.17.3 or later immediately upon release
2. Test patches in isolated lab environment before production deployment
3. Coordinate patching with security operations to minimize downtime
COMPENSATING CONTROLS:
1. Implement application whitelisting to prevent untrusted processes from executing within sandboxes
2. Deploy kernel patch protection (Windows Defender Exploit Guard - Kernel Exploit Protection)
3. Use Windows Sandbox or Hyper-V isolated containers as alternative isolation mechanisms
4. Enable Enhanced Mitigation Experience Toolkit (EMET) on systems running Sandboxie
5. Implement strict process execution policies via AppLocker or Windows Defender Application Control
DETECTION:
1. Monitor for IOCTL calls to \Device\SandboxieDriverApi with malformed parameters
2. Alert on unexpected kernel crashes (BSOD) from processes running in Standard Sandbox
3. Track Sandboxie version inventory and flag systems not yet patched
4. Monitor for Security Hardened Sandbox configuration changes
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. حصر جميع الأنظمة التي تقوم بتشغيل إصدارات Sandboxie ≤1.17.2 عبر مؤسستك
2. تقييد وصول IOCTL إلى \Device\SandboxieDriverApi للعمليات الموثوقة فقط عبر قوائم التحكم في وصول أجهزة Windows
3. تعطيل تكوينات Standard Sandbox والهجرة إلى Security Hardened Sandbox فوراً كتخفيف مؤقت
4. مراقبة سجلات أحداث النواة (معرف الحدث 41 - kernel-power) للأعطال غير المتوقعة
التصحيح:
1. ترقية Sandboxie إلى الإصدار 1.17.3 أو أحدث فوراً عند الإصدار
2. اختبار التصحيحات في بيئة معملية معزولة قبل نشر الإنتاج
3. تنسيق التصحيح مع عمليات الأمان لتقليل وقت التوقف
الضوابط البديلة:
1. تنفيذ قائمة بيضاء للتطبيقات لمنع العمليات غير الموثوقة من التنفيذ داخل الصناديق الرملية
2. نشر حماية التصحيح النواة (Windows Defender Exploit Guard - Kernel Exploit Protection)
3. استخدام Windows Sandbox أو حاويات معزولة بـ Hyper-V كآليات عزل بديلة
4. تفعيل Enhanced Mitigation Experience Toolkit (EMET) على الأنظمة التي تقوم بتشغيل Sandboxie
5. تنفيذ سياسات تنفيذ العمليات الصارمة عبر AppLocker أو Windows Defender Application Control
الكشف:
1. مراقبة استدعاءات IOCTL إلى \Device\SandboxieDriverApi بمعاملات معيبة
2. التنبيه على أعطال النواة غير المتوقعة (BSOD) من العمليات التي تعمل في Standard Sandbox
3. تتبع جرد إصدار Sandboxie والإشارة إلى الأنظمة التي لم يتم تصحيحها بعد
4. مراقبة تغييرات تكوين Security Hardened Sandbox
📋 خريطة الامتثال التنظيمي
🟢 NCA ECC 2024
ECC 2024 A.12.6.1 - Management of technical vulnerabilities
ECC 2024 A.12.2.1 - Change management procedures
ECC 2024 A.12.3.1 - Segregation of development, test and production environments
🔵 SAMA CSF
SAMA CSF ID.RA-1 - Asset management and vulnerability identification
SAMA CSF PR.IP-12 - System and information integrity
SAMA CSF DE.CM-8 - Malware detection and prevention
🟡 ISO 27001:2022
ISO 27001:2022 A.12.3.1 - Change management
ISO 27001:2022 A.12.6.1 - Management of technical vulnerabilities
ISO 27001:2022 A.14.2.1 - Secure development policy
🟣 PCI DSS v4.0.1
PCI DSS 6.2 - Security patches and updates
PCI DSS 11.2 - Vulnerability scanning and remediation
🔗 المراجع والمصادر 3
🔗
https://github.com/sandboxie-plus/Sandboxie/releases/tag/v1.17.3
security-advisories@github.com
Release Notes
🔗
https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-vvf8-cf4j-v8fv
security-advisories@github.com
Exploit
Vendor Advisory
🔗
https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-vvf8-cf4j-v8fv
134c704f-9b21-4f2e-91b3-4a467353bcc0
Exploit
Vendor Advisory
📦 المنتجات المتأثرة 1 منتج
sandboxie-plus:sandboxie