diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9e12bbc454a..0a00ec387aa 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,7 @@ IMPROVEMENTS:
 BUG FIXES:
  * core: Fixed a bug where ACLToken and ACLPolicy changes were ignored by the event stream [[GH-9595](https://github.com/hashicorp/nomad/issues/9595)]
  * core: Fixed a bug to honor HCL2 variables set by environment variables or variable files [[GH-9592](https://github.com/hashicorp/nomad/issues/9592)] [[GH-9623](https://github.com/hashicorp/nomad/issues/9623)]
+ * cni: Fixed a bug where plugins that do not set the interface sandbox value could crash the Nomad client. [[GH-9648](https://github.com/hashicorp/nomad/issues/9648)]
 
 ## 1.0.0 (December 8, 2020)
 
diff --git a/client/allocrunner/networking_cni.go b/client/allocrunner/networking_cni.go
index 0fdd8a617cb..6306882dc1b 100644
--- a/client/allocrunner/networking_cni.go
+++ b/client/allocrunner/networking_cni.go
@@ -114,14 +114,20 @@ func (c *cniNetworkConfigurator) Setup(ctx context.Context, alloc *structs.Alloc
 	netStatus := new(structs.AllocNetworkStatus)
 
 	if len(res.Interfaces) > 0 {
-		iface, name := func(r *cni.CNIResult) (*cni.Config, string) {
-			for i := range r.Interfaces {
-				if r.Interfaces[i].Sandbox != "" {
-					return r.Interfaces[i], i
-				}
+		// find an interface with Sandbox set, or any one of them if no
+		// interface has it set
+		var iface *cni.Config
+		var name string
+		for name, iface = range res.Interfaces {
+			if iface != nil && iface.Sandbox != "" {
+				break
 			}
-			return nil, ""
-		}(res)
+		}
+		if iface == nil {
+			// this should never happen but this value is coming from external
+			// plugins so we should guard against it
+			return nil, fmt.Errorf("failed to configure network: no valid interface")
+		}
 
 		netStatus.InterfaceName = name
 		if len(iface.IPConfigs) > 0 {