CVE-2025-64721

CVE-2025-64721 is a heap overflow vulnerability (CWE-190) in Sandboxie, a sandbox-based isolation software for 32-bit and 64-bit Windows NT-based operating systems. It affects versions 1.16.6 and prior, specifically within the SYSTEM-level service SbieSvc.exe. The issue arises in the SbieIniServer::RC4Crypt handler, which exposes functionality to sandboxed processes and adds a fixed header size to a caller-controlled value_len parameter without overflow checking. A large value_len, such as 0xFFFFFFF0, causes the allocation size to wrap around, resulting in an undersized buffer into which attacker-controlled data is copied, triggering the overflow. The vulnerability carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

Sandboxed processes can exploit this vulnerability remotely over the network with low complexity and no privileges required. An attacker running malicious code within a Sandboxie-isolated environment can supply a crafted value_len to trigger the heap overflow in SbieSvc.exe, enabling arbitrary code execution with SYSTEM privileges on the host system. This fully compromises the host, bypassing the sandbox isolation entirely.

Sandboxie addresses this issue in version 1.16.7, as detailed in the project's GitHub security advisory (GHSA-w476-j57g-96vp), release notes, and the fixing commit (000492f8c411d24292f1b977a107994347bc7dfa). Security practitioners should update to 1.16.7 or later to mitigate the risk.