1. Home
  2. CVE Database
  3. CVE-2025-46716
MEDIUM · 5.5

CVE-2025-46716

Sandboxie is a sandbox-based isolation software for 32-bit and 64-bit Windows NT-based operating systems. Starting in version 1.3.0 and prior to version 1.15.12, Api_SetSecureParam fails to sanitize i...

Vulnerability Description

Sandboxie is a sandbox-based isolation software for 32-bit and 64-bit Windows NT-based operating systems. Starting in version 1.3.0 and prior to version 1.15.12, Api_SetSecureParam fails to sanitize incoming pointers, and implicitly trusts that the pointer the user has passed in is safe to read from. SetRegValue then reads an arbitrary address, which can be a kernel pointer, into a HKLM Security SBIE registry value. This can later be retrieved by API_GET_SECURE_PARAM. Version 1.15.12 fixes the issue.

CVSS Score

5.5

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
NONE
Availability
NONE

Affected Products

VendorProductVersions
Sandboxie-PlusSandboxie>= 1.3.0, < 1.15.12

Related Weaknesses (CWE)

CWE-125

References

FAQ

What is CVE-2025-46716?

CVE-2025-46716 is a vulnerability with a CVSS score of 5.5 (MEDIUM). Sandboxie is a sandbox-based isolation software for 32-bit and 64-bit Windows NT-based operating systems. Starting in version 1.3.0 and prior to version 1.15.12, Api_SetSecureParam fails to sanitize i...

How severe is CVE-2025-46716?

CVE-2025-46716 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-46716?

Check the references section above for vendor advisories and patch information. Affected products include: Sandboxie-Plus Sandboxie.