CVE-2026-32723 is a race condition vulnerability classified under CWE-362 affecting the SandboxJS JavaScript sandboxing library prior to version 0.8.35. SandboxJS enforces execution quotas on sandboxed code using a global tick state variable, `currentTicks.current`, which tracks the execution budget. In multi-tenant or concurrent sandbox deployments, this global tick state is shared across sandboxes rather than isolated per sandbox. Timer callbacks are compiled and executed referencing this shared tick state. Due to improper synchronization, a race condition occurs when one sandbox's timer callback is scheduled but before execution, another sandbox overwrites the global tick state. This causes the timer callback to run under the wrong sandbox's tick budget, effectively bypassing the original sandbox's execution quota or watchdog. This flaw undermines the sandbox's ability to limit resource consumption and execution time, potentially allowing malicious or buggy code to consume excessive CPU cycles or evade watchdog termination. The vulnerability requires low privileges and no user interaction but does require concurrent sandbox usage. The issue was addressed in SandboxJS version 0.8.35 by isolating tick states per sandbox or improving synchronization to prevent cross-sandbox interference. No public exploits have been reported, but the vulnerability poses a risk in environments relying on SandboxJS for secure multi-tenant JavaScript execution.

The primary impact of CVE-2026-32723 is the potential bypass of execution quotas and watchdog timers in SandboxJS, which can lead to denial of service or resource exhaustion within multi-tenant sandbox environments. Attackers controlling one sandbox instance can manipulate the shared global tick state to extend their execution time beyond intended limits, potentially causing performance degradation or instability in the host system. This undermines the security guarantees of sandbox isolation, increasing the risk of one tenant affecting others in shared environments. While it does not directly lead to code execution outside the sandbox or privilege escalation, the ability to bypass execution limits can facilitate further attacks or disrupt service availability. Organizations relying on SandboxJS for secure code execution in cloud services, web hosting, or multi-tenant platforms may face increased risk of service disruption or abuse. The vulnerability’s medium CVSS score reflects moderate impact due to the local attack vector and limited scope but highlights the importance of proper synchronization in sandbox implementations.

To mitigate CVE-2026-32723, organizations should immediately upgrade SandboxJS to version 0.8.35 or later, where the race condition is fixed by isolating tick states per sandbox or implementing proper synchronization mechanisms. For environments where immediate upgrade is not feasible, consider isolating sandboxes at the process or container level to prevent shared state interference. Implement strict resource monitoring and limits at the host or container orchestration level to detect and contain abnormal execution time or CPU usage. Review and harden sandbox configuration to minimize concurrency risks, such as limiting the number of concurrent sandboxes or disabling timer-based callbacks if not essential. Conduct thorough testing of sandbox behavior under concurrent loads to identify potential synchronization issues. Additionally, maintain vigilant logging and alerting on execution quota breaches or watchdog bypass attempts to enable rapid incident response. Avoid sharing global mutable state across sandboxes and adopt thread-safe or atomic operations for any shared resources in sandbox implementations.