Skip to main content

CVE-2025-46716: CWE-125: Out-of-bounds Read in sandboxie-plus Sandboxie

Medium
VulnerabilityCVE-2025-46716cvecve-2025-46716cwe-125
Published: Thu May 22 2025 (05/22/2025, 16:50:18 UTC)
Source: CVE
Vendor/Project: sandboxie-plus
Product: Sandboxie

Description

Sandboxie is a sandbox-based isolation software for 32-bit and 64-bit Windows NT-based operating systems. Starting in version 1.3.0 and prior to version 1.15.12, Api_SetSecureParam fails to sanitize incoming pointers, and implicitly trusts that the pointer the user has passed in is safe to read from. SetRegValue then reads an arbitrary address, which can be a kernel pointer, into a HKLM Security SBIE registry value. This can later be retrieved by API_GET_SECURE_PARAM. Version 1.15.12 fixes the issue.

AI-Powered Analysis

AILast updated: 07/08/2025, 09:25:08 UTC

Technical Analysis

CVE-2025-46716 is a medium-severity vulnerability identified in Sandboxie, a sandbox-based isolation software used on 32-bit and 64-bit Windows NT-based operating systems. The vulnerability exists in versions from 1.3.0 up to but not including 1.15.12. The root cause is an out-of-bounds read (CWE-125) in the Api_SetSecureParam function, which fails to properly sanitize incoming pointers. Specifically, the function implicitly trusts that the pointer provided by the user is safe to read from. This leads to the SetRegValue function reading an arbitrary memory address, which can include sensitive kernel pointers, and storing this data into the HKLM Security SBIE registry value. Subsequently, this data can be retrieved via the API_GET_SECURE_PARAM call. The vulnerability allows a local attacker with limited privileges (PR:L) to read sensitive kernel memory without requiring user interaction (UI:N). The CVSS 3.1 base score is 5.5, reflecting a medium severity primarily due to the confidentiality impact (C:H), with no impact on integrity or availability. The attack vector is local (AV:L), requiring the attacker to have some level of access to the system. The issue was resolved in version 1.15.12 by properly sanitizing the pointers before dereferencing them. No known exploits are currently reported in the wild. This vulnerability could be leveraged to leak sensitive kernel memory information, potentially aiding in privilege escalation or further attacks if combined with other vulnerabilities.

Potential Impact

For European organizations, the impact of this vulnerability depends on the extent to which Sandboxie is used within their environments. Organizations using Sandboxie for application isolation, testing, or security containment on Windows NT-based systems could be at risk of local attackers gaining unauthorized access to sensitive kernel memory. This could lead to information disclosure that may assist attackers in crafting more sophisticated attacks, including privilege escalation or bypassing security controls. Particularly, organizations in sectors with high security requirements such as finance, government, healthcare, and critical infrastructure could face increased risk if attackers exploit this flaw to gather kernel-level information. However, since exploitation requires local access and limited privileges, the threat is more significant in environments where untrusted users have local access to endpoints or servers. The vulnerability does not directly affect confidentiality, integrity, or availability of data beyond the disclosed kernel memory, but it can be a stepping stone for more severe attacks. Given the medium severity and absence of known exploits, the immediate risk is moderate but should not be ignored.

Mitigation Recommendations

European organizations should prioritize upgrading Sandboxie installations to version 1.15.12 or later, where the vulnerability is fixed. If immediate upgrade is not feasible, organizations should restrict local access to systems running vulnerable versions of Sandboxie, ensuring that only trusted users have local login capabilities. Implement strict endpoint security policies to prevent unprivileged users from executing arbitrary code or accessing Sandboxie APIs. Monitoring and logging of Sandboxie API calls could help detect suspicious activities attempting to exploit this vulnerability. Additionally, applying the principle of least privilege to user accounts and sandbox configurations will reduce the attack surface. Organizations should also consider network segmentation and endpoint detection and response (EDR) solutions to detect and respond to potential exploitation attempts. Regular vulnerability scanning and patch management processes should include checks for Sandboxie versions to ensure timely remediation.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
GitHub_M
Date Reserved
2025-04-28T20:56:09.083Z
Cisa Enriched
false
Cvss Version
3.1
State
PUBLISHED

Threat ID: 682f59b40acd01a249263fd8

Added to database: 5/22/2025, 5:07:00 PM

Last enriched: 7/8/2025, 9:25:08 AM

Last updated: 8/15/2025, 12:23:32 AM

Views: 12

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats