Sandboxie-Plus has released version 1.17.5 (classic build 5.72.5) on May 2, 2026, delivering critical regression fixes, shell interaction improvements, and compatibility enhancements that address instabilities introduced in prior builds.
This update is part of a broader security-focused development cycle that began with the landmark v1.17.3 release, which patched multiple vulnerabilities, including a high-severity CVE. Users of all prior 1.17.x versions are encouraged to upgrade immediately.
Sandboxie-Plus is an open-source, sandbox-based isolation tool for 32-bit and 64-bit Windows NT-based systems, maintained by developer David Xanatos.
Sandboxie-Plus v1.17.5 Patched
It creates a protected, isolated operating environment where applications can be executed or installed without permanently modifying the host system, making it a critical security layer for threat analysts, enterprise security teams, and privacy-conscious users alike.
As Windows application complexity grows, particularly with Electron apps, UWP frameworks, and WebView2 containers, Sandboxie-Plus has evolved from a simple sandbox utility into a full-featured isolation platform with per-process controls, hardware information protection, and kernel-level security validation.
One of the most impactful fixes in v1.17.5 is the addition of a workaround for applications that request access to the default desktop object.
Previously, such requests triggered the SBIE2205 OpenDesktop warning, breaking compatibility with software that expected direct access to the default desktop environment. The update resolves this silently, with no changes required on the end user’s part.
A regression introduced in v1.17.3 prevented users from renaming sandboxes, producing a cryptic “The parameter is incorrect” error.
The root cause was traced to multi-line configuration values being rejected by the newly introduced ContainsCRLF validation logic inside CIniFile::AddValue.
The fix restores renaming functionality and also updates the user interface to automatically reselect the renamed sandbox after the operation, improving usability and eliminating the need for manual renavigation.
When using OpenWinClass=*, tray icons from sandboxed applications were not displaying correctly on the host taskbar. Sandboxie-Plus v1.17.5 resolves this by proxying Shell_NotifyIcon calls, ensuring that icons are correctly registered with the host shell.
This behavior is enabled by default and can be toggled using the new UseShellNotifyIconProxy option, which supports both per-process and exclusion-based (!process) selectors for granular control.
The update also addresses a visual and behavioral issue with windows that dynamically toggle the WS_EX_TOPMOST extended window style.
Sandboxie now tracks topmost state changes in real time and adjusts window ordering accordingly, ensuring correct border visibility and z-order management.
This fix is particularly relevant for applications such as screen recorders, overlay tools, and always-on-top utilities that run inside sandbox environments.
To understand the importance of staying current with Sandboxie-Plus, we need to examine the security vulnerabilities that have been patched in recent releases.
This is the most severe vulnerability in the recent release cycle. Tracked as CVE-2026-34459, it affected versions 1.17.2 and earlier, residing in the SbieSvc proxy service’s GetRawInputDeviceInfoSlave IPC handler.
The vulnerability chain works as follows: a sandboxed process sends a crafted IPC request with cbSize set to 0, causing the service to return up to 32KB of uninitialized stack memory, leaking return addresses and stack cookies, effectively bypassing both ASLR and /GS stack protections.
A second flaw in the same handler allows a memcpy operation with an attacker-controlled length that overflows the 32KB stack buffer. By chaining these two weaknesses, a sandboxed process can execute a ROP chain to achieve SYSTEM-level privilege escalation, even from a Security Hardened Sandbox. Intel CET (hardware-enforced shadow stacks) blocks execution of the ROP chain, but does not prevent the information leak itself.
CVE-2026-32603 is a high-severity improper check for unusual conditions, also addressed in version 1.17.3. This vulnerability could be triggered by a sandboxed process, leading to a local denial-of-service condition.
Alongside this, v1.17.3 also patched an INI CRLF injection flaw that allowed bypassing of the EditAdminOnly configuration protection, a ProcessServer name validation weakness, and NamedPipeServer parameter validation gaps.
A medium-severity CVE disclosed in May 2026, this vulnerability further highlights the ongoing security scrutiny that the Sandboxie-Plus codebase is receiving from external researchers. The patch history over the 1.17.x lifecycle demonstrates a maturing security posture and responsible disclosure process.
The v1.17.5 release is available in three binary formats: Sandboxie-Plus-x64 (23.4 MB), Sandboxie-Plus-ARM64 (21.1 MB), and Sandboxie-Classic-x64 (2.98 MB), all with published SHA-256 checksums for integrity verification.
Users experiencing installation issues should uninstall the previous version while preserving their sandboxie.ini configuration file before reinstalling the new build. The project is open-source and community-supported through donations via the official Xanasoft forum and GitHub repository.
Given that versions 1.17.2 and earlier contain a chained sandbox-escape vulnerability with a CVSS severity of 8.8 (CVE-2026-34459) that enables SYSTEM privilege escalation, organizations using Sandboxie-Plus in threat analysis pipelines, enterprise environments, or security research workflows face a genuine risk without upgrading.
The v1.17.5 build represents the most stable and secure release in the 1.17 series.x series, combining the security hardening of v1.17.3 with regression corrections from v1.17.4 and v1.17.5, making it the definitive recommended version as of May 2026.
FAQ
Q1: Is Sandboxie-Plus v1.17.5 safe to use?
Yes, v1.17.5 is the most secure release in the 1.17 series.x line, patching all known CVEs, including the CVSS 8.8 sandbox-escape chain, fixed in v1.17.3.
Q2: What is CVE-2026-34459, and who is affected?
It is a chained IPC vulnerability in Sandboxie-Plus ≤1.17.2 that enables SYSTEM privilege escalation via stack memory leak and ROP execution.
Q3: Does Sandboxie-Plus v1.17.5 support Windows ARM64 devices?
Yes, a dedicated ARM64 installer (21.1 MB) is available with SHA-256 checksum verification for secure deployment.
Q4: How do I upgrade Sandboxie-Plus without losing my sandbox configuration?
Uninstall the previous version while keeping sandboxie.ini it intact, then install the new build. Your sandbox settings will be preserved.
Site: https://thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
