CVE-2025-64721

216.73.216.6

· Published 11/12/2025 22:15 · Modified 22/12/2025 18:44

Labels: CVE-2025-64721 2025-12-11 CVE-2025-64721 [email protected]

Essential information

Published: 11/12/2025 22:15
Modified: 22/12/2025 18:44
Author: —
Creator: —
CVSS: 9.9 CRITICAL (v3) 9.9 CRITICAL (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

Sandboxie is a sandbox-based isolation software for 32-bit and 64-bit Windows NT-based operating systems. In versions 1.16.6 and below, the SYSTEM-level service SbieSvc.exe exposes SbieIniServer::RC4Crypt to sandboxed processes. The handler adds a fixed header size to a caller-controlled value_len without overflow checking. A large value_len (e.g., 0xFFFFFFF0) wraps the allocation size, causing a heap overflow when attacker data is copied into the undersized buffer. This allows sandboxed processes to execute arbitrary code as SYSTEM, fully compromising the host. This issue is fixed in version 1.16.7.

NVD status

Status: Analyzed — CVE has had analysis completed and all data associations made.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
sandboxie-plus / sandboxie	`cpe:2.3:a:sandboxie-plus:sandboxie:::::plus:::*`