CVE-2025-46716: CWE-125: Out-of-bounds Read in sandboxie-plus Sandboxie
Sandboxie is a sandbox-based isolation software for 32-bit and 64-bit Windows NT-based operating systems. Starting in version 1.3.0 and prior to version 1.15.12, Api_SetSecureParam fails to sanitize incoming pointers, and implicitly trusts that the pointer the user has passed in is safe to read from. SetRegValue then reads an arbitrary address, which can be a kernel pointer, into a HKLM Security SBIE registry value. This can later be retrieved by API_GET_SECURE_PARAM. Version 1.15.12 fixes the issue.
AI Analysis
Technical Summary
CVE-2025-46716 is a medium-severity vulnerability identified in Sandboxie, a sandbox-based isolation software used on 32-bit and 64-bit Windows NT-based operating systems. The vulnerability exists in versions from 1.3.0 up to but not including 1.15.12. The root cause is an out-of-bounds read (CWE-125) in the Api_SetSecureParam function, which fails to properly sanitize incoming pointers. Specifically, the function implicitly trusts that the pointer provided by the user is safe to read from. This leads to the SetRegValue function reading an arbitrary memory address, which can include sensitive kernel pointers, and storing this data into the HKLM Security SBIE registry value. Subsequently, this data can be retrieved via the API_GET_SECURE_PARAM call. The vulnerability allows a local attacker with limited privileges (PR:L) to read sensitive kernel memory without requiring user interaction (UI:N). The CVSS 3.1 base score is 5.5, reflecting a medium severity primarily due to the confidentiality impact (C:H), with no impact on integrity or availability. The attack vector is local (AV:L), requiring the attacker to have some level of access to the system. The issue was resolved in version 1.15.12 by properly sanitizing the pointers before dereferencing them. No known exploits are currently reported in the wild. This vulnerability could be leveraged to leak sensitive kernel memory information, potentially aiding in privilege escalation or further attacks if combined with other vulnerabilities.
Potential Impact
For European organizations, the impact of this vulnerability depends on the extent to which Sandboxie is used within their environments. Organizations using Sandboxie for application isolation, testing, or security containment on Windows NT-based systems could be at risk of local attackers gaining unauthorized access to sensitive kernel memory. This could lead to information disclosure that may assist attackers in crafting more sophisticated attacks, including privilege escalation or bypassing security controls. Particularly, organizations in sectors with high security requirements such as finance, government, healthcare, and critical infrastructure could face increased risk if attackers exploit this flaw to gather kernel-level information. However, since exploitation requires local access and limited privileges, the threat is more significant in environments where untrusted users have local access to endpoints or servers. The vulnerability does not directly affect confidentiality, integrity, or availability of data beyond the disclosed kernel memory, but it can be a stepping stone for more severe attacks. Given the medium severity and absence of known exploits, the immediate risk is moderate but should not be ignored.
Mitigation Recommendations
European organizations should prioritize upgrading Sandboxie installations to version 1.15.12 or later, where the vulnerability is fixed. If immediate upgrade is not feasible, organizations should restrict local access to systems running vulnerable versions of Sandboxie, ensuring that only trusted users have local login capabilities. Implement strict endpoint security policies to prevent unprivileged users from executing arbitrary code or accessing Sandboxie APIs. Monitoring and logging of Sandboxie API calls could help detect suspicious activities attempting to exploit this vulnerability. Additionally, applying the principle of least privilege to user accounts and sandbox configurations will reduce the attack surface. Organizations should also consider network segmentation and endpoint detection and response (EDR) solutions to detect and respond to potential exploitation attempts. Regular vulnerability scanning and patch management processes should include checks for Sandboxie versions to ensure timely remediation.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden
CVE-2025-46716: CWE-125: Out-of-bounds Read in sandboxie-plus Sandboxie
Description
Sandboxie is a sandbox-based isolation software for 32-bit and 64-bit Windows NT-based operating systems. Starting in version 1.3.0 and prior to version 1.15.12, Api_SetSecureParam fails to sanitize incoming pointers, and implicitly trusts that the pointer the user has passed in is safe to read from. SetRegValue then reads an arbitrary address, which can be a kernel pointer, into a HKLM Security SBIE registry value. This can later be retrieved by API_GET_SECURE_PARAM. Version 1.15.12 fixes the issue.
AI-Powered Analysis
Technical Analysis
CVE-2025-46716 is a medium-severity vulnerability identified in Sandboxie, a sandbox-based isolation software used on 32-bit and 64-bit Windows NT-based operating systems. The vulnerability exists in versions from 1.3.0 up to but not including 1.15.12. The root cause is an out-of-bounds read (CWE-125) in the Api_SetSecureParam function, which fails to properly sanitize incoming pointers. Specifically, the function implicitly trusts that the pointer provided by the user is safe to read from. This leads to the SetRegValue function reading an arbitrary memory address, which can include sensitive kernel pointers, and storing this data into the HKLM Security SBIE registry value. Subsequently, this data can be retrieved via the API_GET_SECURE_PARAM call. The vulnerability allows a local attacker with limited privileges (PR:L) to read sensitive kernel memory without requiring user interaction (UI:N). The CVSS 3.1 base score is 5.5, reflecting a medium severity primarily due to the confidentiality impact (C:H), with no impact on integrity or availability. The attack vector is local (AV:L), requiring the attacker to have some level of access to the system. The issue was resolved in version 1.15.12 by properly sanitizing the pointers before dereferencing them. No known exploits are currently reported in the wild. This vulnerability could be leveraged to leak sensitive kernel memory information, potentially aiding in privilege escalation or further attacks if combined with other vulnerabilities.
Potential Impact
For European organizations, the impact of this vulnerability depends on the extent to which Sandboxie is used within their environments. Organizations using Sandboxie for application isolation, testing, or security containment on Windows NT-based systems could be at risk of local attackers gaining unauthorized access to sensitive kernel memory. This could lead to information disclosure that may assist attackers in crafting more sophisticated attacks, including privilege escalation or bypassing security controls. Particularly, organizations in sectors with high security requirements such as finance, government, healthcare, and critical infrastructure could face increased risk if attackers exploit this flaw to gather kernel-level information. However, since exploitation requires local access and limited privileges, the threat is more significant in environments where untrusted users have local access to endpoints or servers. The vulnerability does not directly affect confidentiality, integrity, or availability of data beyond the disclosed kernel memory, but it can be a stepping stone for more severe attacks. Given the medium severity and absence of known exploits, the immediate risk is moderate but should not be ignored.
Mitigation Recommendations
European organizations should prioritize upgrading Sandboxie installations to version 1.15.12 or later, where the vulnerability is fixed. If immediate upgrade is not feasible, organizations should restrict local access to systems running vulnerable versions of Sandboxie, ensuring that only trusted users have local login capabilities. Implement strict endpoint security policies to prevent unprivileged users from executing arbitrary code or accessing Sandboxie APIs. Monitoring and logging of Sandboxie API calls could help detect suspicious activities attempting to exploit this vulnerability. Additionally, applying the principle of least privilege to user accounts and sandbox configurations will reduce the attack surface. Organizations should also consider network segmentation and endpoint detection and response (EDR) solutions to detect and respond to potential exploitation attempts. Regular vulnerability scanning and patch management processes should include checks for Sandboxie versions to ensure timely remediation.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-04-28T20:56:09.083Z
- Cisa Enriched
- false
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682f59b40acd01a249263fd8
Added to database: 5/22/2025, 5:07:00 PM
Last enriched: 7/8/2025, 9:25:08 AM
Last updated: 8/15/2025, 12:23:32 AM
Views: 12
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.