CVE-2026-34596: CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition in sandboxie-plus Sandboxie
CVE-2026-34596 is a Time-of-Check-to-Time-of-Use (TOCTOU) race condition vulnerability in Sandboxie-Plus versions 1. 17. 2 and earlier. It occurs during addon installation via the SandMan interface, where a privileged process stages files in a user-writable temporary directory. An unprivileged user can exploit the window between hash verification and file extraction to replace a cabinet file with a malicious one, resulting in arbitrary code execution as SYSTEM without a UAC prompt. This vulnerability has been fixed in version 1. 17. 3.
AI Analysis
Technical Summary
Sandboxie-Plus, an open source sandboxing tool for Windows, had a TOCTOU race condition in versions prior to 1.17.3 during addon installation. The UpdUtil.exe process, running as SYSTEM, stages files in a user-writable %TEMP% directory. After verifying file hashes, the process extracts and executes files from a cabinet archive. The race condition allows an unprivileged user to replace the cabinet file after verification but before extraction, causing execution of malicious code with SYSTEM privileges without triggering a UAC prompt. This vulnerability is tracked as CVE-2026-34596 and is categorized under CWE-367.
Potential Impact
Successful exploitation allows an unprivileged user to execute arbitrary code with SYSTEM privileges on the affected system without user consent via UAC. This elevates privileges and compromises system security. The CVSS 4.0 base score is 5.4 (medium severity), reflecting the local attack vector, required privileges, and user interaction.
Mitigation Recommendations
This vulnerability is fixed in Sandboxie-Plus version 1.17.3. Users should upgrade to version 1.17.3 or later to remediate this issue. No other official remediation or temporary fix is documented. Until upgrading, avoid installing addons via the SandMan interface or restrict access to the %TEMP%\sandboxie-updater directory to trusted users only.
CVE-2026-34596: CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition in sandboxie-plus Sandboxie
Description
CVE-2026-34596 is a Time-of-Check-to-Time-of-Use (TOCTOU) race condition vulnerability in Sandboxie-Plus versions 1. 17. 2 and earlier. It occurs during addon installation via the SandMan interface, where a privileged process stages files in a user-writable temporary directory. An unprivileged user can exploit the window between hash verification and file extraction to replace a cabinet file with a malicious one, resulting in arbitrary code execution as SYSTEM without a UAC prompt. This vulnerability has been fixed in version 1. 17. 3.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Sandboxie-Plus, an open source sandboxing tool for Windows, had a TOCTOU race condition in versions prior to 1.17.3 during addon installation. The UpdUtil.exe process, running as SYSTEM, stages files in a user-writable %TEMP% directory. After verifying file hashes, the process extracts and executes files from a cabinet archive. The race condition allows an unprivileged user to replace the cabinet file after verification but before extraction, causing execution of malicious code with SYSTEM privileges without triggering a UAC prompt. This vulnerability is tracked as CVE-2026-34596 and is categorized under CWE-367.
Potential Impact
Successful exploitation allows an unprivileged user to execute arbitrary code with SYSTEM privileges on the affected system without user consent via UAC. This elevates privileges and compromises system security. The CVSS 4.0 base score is 5.4 (medium severity), reflecting the local attack vector, required privileges, and user interaction.
Mitigation Recommendations
This vulnerability is fixed in Sandboxie-Plus version 1.17.3. Users should upgrade to version 1.17.3 or later to remediate this issue. No other official remediation or temporary fix is documented. Until upgrading, avoid installing addons via the SandMan interface or restrict access to the %TEMP%\sandboxie-updater directory to trusted users only.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-30T17:15:52.499Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fa4dc2cbff5d86102152af
Added to database: 5/5/2026, 8:06:26 PM
Last enriched: 5/5/2026, 8:21:58 PM
Last updated: 5/5/2026, 9:07:35 PM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.