CVE-2026-45313 in Sandboxieinfo

Summary

by MITRE • 07/16/2026

Sandboxie-Plus is an open source sandbox-based isolation software for Windows. Prior to 1.17.6, GuiServer::WndHookRegisterSlave in Sandboxie/core/svc/GuiServer.cpp stores attacker-supplied hthread and hproc fields from a GUI_WND_HOOK_REGISTER request without validating that the thread belongs to the sandboxed process or that the function pointer is in the caller address space, and GuiServer::WndHookNotifySlave then calls OpenThread(THREAD_SET_CONTEXT, FALSE, whk->hthread) and QueueUserAPC((PAPCFUNC)whk->hproc, hThread, (ULONG_PTR)req->threadid) as SYSTEM, allowing a sandboxed process to execute arbitrary code in an unsandboxed host process. This issue is fixed in version 1.17.6.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/16/2026

The vulnerability in Sandboxie-Plus represents a critical privilege escalation flaw that undermines the fundamental security model of sandboxed applications. The issue stems from inadequate input validation within the GuiServer component, specifically in the GuiServer::WndHookRegisterSlave function which processes GUI_WND_HOOK_REGISTER requests. This function fails to verify that attacker-supplied handles hthread and hproc originate from legitimate sandboxed processes, creating a pathway for malicious code execution outside the intended isolation boundaries.

The technical implementation flaw occurs when the system accepts unvalidated thread and process handles without proper sandbox membership verification. The GuiServer::WndHookNotifySlave function subsequently executes OpenThread with THREAD_SET_CONTEXT access rights, followed by QueueUserAPC which schedules arbitrary code execution in the target thread context. This sequence allows a sandboxed process to escalate privileges and execute code within the host process address space, effectively bypassing the sandbox isolation mechanism that should protect the host system from malicious activities originating within the sandbox.

From an operational perspective, this vulnerability presents a severe threat to system security as it enables attackers to perform privilege escalation attacks against the host system. The attack requires only that a sandboxed process be able to send specially crafted GUI_WND_HOOK_REGISTER requests, which can be achieved through various means including malicious software or exploitation of other vulnerabilities within the sandboxed environment. The execution occurs with SYSTEM privileges, making the impact particularly devastating as it allows complete compromise of the host system.

The vulnerability aligns with CWE-264, which addresses permissions, privileges, and access controls, specifically covering improper validation of thread and process handles in security-critical contexts. From an ATT&CK framework perspective, this represents a privilege escalation technique using process injection methods, specifically leveraging Windows API functions for thread manipulation and APC queueing. The attack vector falls under T1055 - Process Injection, with the specific technique being T1055.002 - Dynamic-link Library Injection, although implemented through different system calls.

The recommended mitigation strategy involves upgrading to Sandboxie-Plus version 1.17.6 or later, which implements proper handle validation and sandbox membership verification. Additional protective measures include implementing strict access controls for GUI hook registration mechanisms, monitoring for suspicious thread manipulation patterns, and conducting regular security audits of sandboxed application behaviors. System administrators should also consider implementing application whitelisting policies to restrict which processes can interact with the sandboxing components, and maintain comprehensive logging of GUI hook operations for security monitoring purposes.

Responsible

GitHub M

Reservation

05/11/2026

Disclosure

07/16/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!