CVE-2026-34596

Published: Mag 05, 2026 Last Modified: Mag 05, 2026

ExploitDB:

Other exploit source:

Google Dorks:

MEDIUM 5,4

Source: [email protected]

Attack Vector: local

Attack Complexity: low

Privileges Required: low

User Interaction: active

Confidentiality: N/A

Integrity: N/A

Availability: N/A

Description

AI Translation Available

Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, a Time-of-Check-to-Time-of-Use (TOCTOU) race condition exists during addon installation. When a user installs an addon through the SandMan interface, UpdUtil.exe is spawned as SYSTEM by SbieSvc but stages files in the user-writable %TEMP%\sandboxie-updater directory. After UpdUtil verifies file hashes against the signed addon manifest, install.bat extracts files.cab and executes config.exe from its contents. Between hash verification and extraction, an unprivileged user can replace files.cab with a crafted cabinet containing a malicious executable, which is then run as SYSTEM. No UAC prompt is required.

This issue has been fixed in version 1.17.3.

367

Time-of-check Time-of-use (TOCTOU) Race Condition

Incomplete

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Integrity Other Non-Repudiation

Potential Impacts:

Alter Execution Logic Unexpected State Modify Application Data Modify Files Or Directories Modify Memory Other Hide Activities

Applicable Platforms

All platforms may be affected

Likelihood of Exploit: Medium

View CWE Details

https://github.com/sandboxie-plus/Sandboxie/security/adviso…

https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-xjvp-63f2-…

CVE-2026-34596

Description

Time-of-check Time-of-use (TOCTOU) Race Condition

Common Consequences

Applicable Platforms

Iscriviti alla newsletter