CVE-2026-34596: CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition in sandboxie-plus Sandboxie
Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, a Time-of-Check-to-Time-of-Use (TOCTOU) race condition exists during addon installation. When a user installs an addon through the SandMan interface, UpdUtil.exe is spawned as SYSTEM by SbieSvc but stages files in the user-writable %TEMP%\sandboxie-updater directory. After UpdUtil verifies file hashes against the signed addon manifest, install.bat extracts files.cab and executes config.exe from its contents. Between hash verification and extraction, an unprivileged user can replace files.cab with a crafted cabinet containing a malicious executable, which is then run as SYSTEM. No UAC prompt is required. This issue has been fixed in version 1.17.3.
AI Analysis
Technical Summary
CVE-2026-34596 is a TOCTOU race condition in Sandboxie-Plus (<= 1.17.2) during addon installation via the SandMan interface. The updater process (UpdUtil.exe), running as SYSTEM, stages files in a user-writable temporary directory. After verifying file hashes against a signed manifest, the installer extracts and executes files from a cabinet archive. An attacker can replace the cabinet file between verification and extraction, causing execution of a malicious payload with SYSTEM privileges without user consent.
Potential Impact
Successful exploitation results in privilege escalation to SYSTEM level without triggering a UAC prompt, allowing an attacker with limited privileges to execute arbitrary code with high system privileges. This can lead to full system compromise on affected versions prior to 1.17.3.
Mitigation Recommendations
Upgrade Sandboxie-Plus to version 1.17.3 or later, where this TOCTOU race condition has been fixed. No other mitigations are specified or required once the update is applied.
CVE-2026-34596: CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition in sandboxie-plus Sandboxie
Description
Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, a Time-of-Check-to-Time-of-Use (TOCTOU) race condition exists during addon installation. When a user installs an addon through the SandMan interface, UpdUtil.exe is spawned as SYSTEM by SbieSvc but stages files in the user-writable %TEMP%\sandboxie-updater directory. After UpdUtil verifies file hashes against the signed addon manifest, install.bat extracts files.cab and executes config.exe from its contents. Between hash verification and extraction, an unprivileged user can replace files.cab with a crafted cabinet containing a malicious executable, which is then run as SYSTEM. No UAC prompt is required. This issue has been fixed in version 1.17.3.
CVSS v4.0
Score 5.4medium
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-34596 is a TOCTOU race condition in Sandboxie-Plus (<= 1.17.2) during addon installation via the SandMan interface. The updater process (UpdUtil.exe), running as SYSTEM, stages files in a user-writable temporary directory. After verifying file hashes against a signed manifest, the installer extracts and executes files from a cabinet archive. An attacker can replace the cabinet file between verification and extraction, causing execution of a malicious payload with SYSTEM privileges without user consent.
Potential Impact
Successful exploitation results in privilege escalation to SYSTEM level without triggering a UAC prompt, allowing an attacker with limited privileges to execute arbitrary code with high system privileges. This can lead to full system compromise on affected versions prior to 1.17.3.
Mitigation Recommendations
Upgrade Sandboxie-Plus to version 1.17.3 or later, where this TOCTOU race condition has been fixed. No other mitigations are specified or required once the update is applied.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-30T17:15:52.499Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fa4dc2cbff5d86102152af
Added to database: 5/5/2026, 8:06:26 PM
Last enriched: 5/13/2026, 3:40:49 AM
Last updated: 6/20/2026, 8:43:41 AM
Views: 93
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.