CVE-2025-46715
📋 TL;DR
This vulnerability in Sandboxie allows any user on a Windows system, including low-privileged processes, to write arbitrary registry key contents to kernel memory addresses. This can lead to kernel memory corruption, system crashes, or potential privilege escalation. Affects Sandboxie versions 1.3.0 through 1.15.11 on Windows NT-based systems.
💻 Affected Systems
- Sandboxie
- Sandboxie-Plus
📦 What is this software?
Sandboxie by Sandboxie Plus
⚠️ Risk & Real-World Impact
Worst Case
Kernel memory corruption leading to system crash (BSOD), privilege escalation to SYSTEM, or arbitrary code execution in kernel context.
Likely Case
System instability, crashes, or denial of service through kernel pointer manipulation.
If Mitigated
Limited impact if proper access controls restrict low-privilege users from executing Sandboxie components.
🎯 Exploit Status
Exploitation requires understanding of kernel memory addressing and Windows driver interaction, but the vulnerability is accessible to any user on the system.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.15.12
Vendor Advisory: https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-67p9-6h73-ff7x
Restart Required: Yes
Instructions:
1. Download Sandboxie version 1.15.12 or later from the official repository. 2. Run the installer to upgrade. 3. Restart the system to ensure the updated driver loads.
🔧 Temporary Workarounds
Disable Sandboxie Service
windowsStop and disable the Sandboxie service to prevent driver loading
sc stop SbieSvc
sc config SbieSvc start= disabled
Remove Sandboxie Driver
windowsUnload and prevent the vulnerable driver from loading
sc delete SbieSvc
Remove SbieDrv.sys from system32\drivers
🧯 If You Can't Patch
- Restrict user access to systems running vulnerable Sandboxie versions
- Implement application whitelisting to prevent execution of Sandboxie components by unauthorized users
🔍 How to Verify
Check if Vulnerable:
Check Sandboxie version in About dialog or registry: HKEY_LOCAL_MACHINE\SOFTWARE\Sandboxie\VersionCheck Version:
reg query "HKLM\SOFTWARE\Sandboxie" /v VersionVerify Fix Applied:
Verify version is 1.15.12 or higher and check that SbieDrv.sys file version matches patched version📡 Detection & Monitoring
Log Indicators:
- System crashes (Event ID 41)
- Sandboxie driver loading events
- Unexpected registry access to SBIE keys
Network Indicators:
- None - this is a local vulnerability
SIEM Query:
EventID=1 AND (Image="*\Sandboxie\*" OR CommandLine="*Sandboxie*") OR EventID=41 AND Source="BugCheck"