CVE-2025-46716 is a medium-severity vulnerability identified in Sandboxie, a sandbox-based isolation software used on 32-bit and 64-bit Windows NT-based operating systems. The vulnerability exists in versions from 1.3.0 up to but not including 1.15.12. The root cause is an out-of-bounds read (CWE-125) in the Api_SetSecureParam function, which fails to properly sanitize incoming pointers. Specifically, the function implicitly trusts that the pointer provided by the user is safe to read from. This leads to the SetRegValue function reading an arbitrary memory address, which can include sensitive kernel pointers, and storing this data into the HKLM Security SBIE registry value. Subsequently, this data can be retrieved via the API_GET_SECURE_PARAM call. The vulnerability allows a local attacker with limited privileges (PR:L) to read sensitive kernel memory without requiring user interaction (UI:N). The CVSS 3.1 base score is 5.5, reflecting a medium severity primarily due to the confidentiality impact (C:H), with no impact on integrity or availability. The attack vector is local (AV:L), requiring the attacker to have some level of access to the system. The issue was resolved in version 1.15.12 by properly sanitizing the pointers before dereferencing them. No known exploits are currently reported in the wild. This vulnerability could be leveraged to leak sensitive kernel memory information, potentially aiding in privilege escalation or further attacks if combined with other vulnerabilities.

For European organizations, the impact of this vulnerability depends on the extent to which Sandboxie is used within their environments. Organizations using Sandboxie for application isolation, testing, or security containment on Windows NT-based systems could be at risk of local attackers gaining unauthorized access to sensitive kernel memory. This could lead to information disclosure that may assist attackers in crafting more sophisticated attacks, including privilege escalation or bypassing security controls. Particularly, organizations in sectors with high security requirements such as finance, government, healthcare, and critical infrastructure could face increased risk if attackers exploit this flaw to gather kernel-level information. However, since exploitation requires local access and limited privileges, the threat is more significant in environments where untrusted users have local access to endpoints or servers. The vulnerability does not directly affect confidentiality, integrity, or availability of data beyond the disclosed kernel memory, but it can be a stepping stone for more severe attacks. Given the medium severity and absence of known exploits, the immediate risk is moderate but should not be ignored.

European organizations should prioritize upgrading Sandboxie installations to version 1.15.12 or later, where the vulnerability is fixed. If immediate upgrade is not feasible, organizations should restrict local access to systems running vulnerable versions of Sandboxie, ensuring that only trusted users have local login capabilities. Implement strict endpoint security policies to prevent unprivileged users from executing arbitrary code or accessing Sandboxie APIs. Monitoring and logging of Sandboxie API calls could help detect suspicious activities attempting to exploit this vulnerability. Additionally, applying the principle of least privilege to user accounts and sandbox configurations will reduce the attack surface. Organizations should also consider network segmentation and endpoint detection and response (EDR) solutions to detect and respond to potential exploitation attempts. Regular vulnerability scanning and patch management processes should include checks for Sandboxie versions to ensure timely remediation.