CVE-2025-64721

Sandboxie is a sandbox-based isolation software for 32-bit and 64-bit Windows NT-based operating systems. In versions 1.16.6 and below, the SYSTEM-level service SbieSvc.exe exposes SbieIniServer::RC4Crypt to sandboxed processes. The handler adds a fixed header size to a caller-controlled value_len without overflow checking. A large value_len (e.g., 0xFFFFFFF0) wraps the allocation size, causing a heap overflow when attacker data is copied into the undersized buffer. This allows sandboxed processes to execute arbitrary code as SYSTEM, fully compromising the host. This issue is fixed in version 1.16.7.

CVSS

No CVSS.

References

Link	Resource
https://github.com/sandboxie-plus/Sandboxie/commit/000492f8c411d24292f1b977a107994347bc7dfa
https://github.com/sandboxie-plus/Sandboxie/releases/tag/v1.16.7
https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-w476-j57g-96vp
https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-w476-j57g-96vp

Configurations

No configuration.

History

15 Dec 2025, 16:15

Type	Values Removed	Values Added
References	~~() https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-w476-j57g-96vp -~~	() https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-w476-j57g-96vp -

11 Dec 2025, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-12-11 22:15

Updated : 2025-12-15 16:15

NVD link : CVE-2025-64721

Mitre link : CVE-2025-64721

CVE.ORG link : CVE-2025-64721

JSON object : View

Products Affected

No product.

CWE

CWE-190

Integer Overflow or Wraparound

{"id": "CVE-2025-64721", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-12-11T22:15:55.653", "references": [{"url": "https://github.com/sandboxie-plus/Sandboxie/commit/000492f8c411d24292f1b977a107994347bc7dfa", "source": "security-advisories@github.com"}, {"url": "https://github.com/sandboxie-plus/Sandboxie/releases/tag/v1.16.7", "source": "security-advisories@github.com"}, {"url": "https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-w476-j57g-96vp", "source": "security-advisories@github.com"}, {"url": "https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-w476-j57g-96vp", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-190"}]}], "descriptions": [{"lang": "en", "value": "Sandboxie is a sandbox-based isolation software for 32-bit and 64-bit Windows NT-based operating systems. In versions 1.16.6 and below, the SYSTEM-level service SbieSvc.exe exposes SbieIniServer::RC4Crypt to sandboxed processes. The handler adds a fixed header size to a caller-controlled value_len without overflow checking. A large value_len (e.g., 0xFFFFFFF0) wraps the allocation size, causing a heap overflow when attacker data is copied into the undersized buffer. This allows sandboxed processes to execute arbitrary code as SYSTEM, fully compromising the host. This issue is fixed in version 1.16.7."}], "lastModified": "2025-12-15T16:15:52.920", "sourceIdentifier": "security-advisories@github.com"}