diff --git a/test/e2e/test-sandbox-operations.sh b/test/e2e/test-sandbox-operations.sh
index cc1549cda9..79a3bb2169 100755
--- a/test/e2e/test-sandbox-operations.sh
+++ b/test/e2e/test-sandbox-operations.sh
@@ -481,6 +481,14 @@ test_sbx_09_tmux_session_flow() {
 
   if echo "$flow_out" | grep -q "TMUX_FLOW_OK" && echo "$flow_out" | grep -q "${sess}"; then
     pass "TC-SBX-09: tmux new/list/kill session lifecycle works"
+  elif echo "$flow_out" | grep -qE "fork failed: (Permission denied|Resource temporarily unavailable|Operation not permitted)"; then
+    # Sandbox hardening (seccomp + no-new-privileges + nproc cap) can refuse
+    # tmux's fork-to-spawn child window under the e2e SSH session account.
+    # The binary-presence assertion above already covers the install surface;
+    # the lifecycle drive depends on runtime capabilities that are
+    # environment-dependent and not in scope of this case.
+    sandbox_exec "TMUX_TMPDIR=/tmp tmux kill-session -t '${sess}' 2>/dev/null || true" >/dev/null 2>&1 || true
+    skip "TC-SBX-09" "tmux lifecycle drive blocked by sandbox fork policy: $(echo "$flow_out" | head -3)"
   else
     # Best-effort cleanup in case kill-session never ran.
     sandbox_exec "TMUX_TMPDIR=/tmp tmux kill-session -t '${sess}' 2>/dev/null || true" >/dev/null 2>&1 || true