diff --git a/codex-rs/core/src/exec.rs b/codex-rs/core/src/exec.rs
index 52a28d57533..45ec00f81cf 100644
--- a/codex-rs/core/src/exec.rs
+++ b/codex-rs/core/src/exec.rs
@@ -410,6 +410,11 @@ pub(crate) fn is_likely_sandbox_denied(
     // 2: misuse of shell builtins
     // 126: permission denied
     // 127: command not found
+    const QUICK_REJECT_EXIT_CODES: [i32; 3] = [2, 126, 127];
+    if QUICK_REJECT_EXIT_CODES.contains(&exec_output.exit_code) {
+        return false;
+    }
+
     const SANDBOX_DENIED_KEYWORDS: [&str; 7] = [
         "operation not permitted",
         "permission denied",
@@ -437,11 +442,6 @@ pub(crate) fn is_likely_sandbox_denied(
         return true;
     }
 
-    const QUICK_REJECT_EXIT_CODES: [i32; 3] = [2, 126, 127];
-    if QUICK_REJECT_EXIT_CODES.contains(&exec_output.exit_code) {
-        return false;
-    }
-
     #[cfg(unix)]
     {
         const SIGSYS_CODE: i32 = libc::SIGSYS;
@@ -827,6 +827,15 @@ mod tests {
         ));
     }
 
+    #[test]
+    fn sandbox_detection_ignores_keywords_for_quick_reject_exit_codes() {
+        let output = make_exec_output(126, "", "Permission denied", "");
+        assert!(!is_likely_sandbox_denied(
+            SandboxType::LinuxSeccomp,
+            &output
+        ));
+    }
+
     #[test]
     fn sandbox_detection_ignores_non_sandbox_mode() {
         let output = make_exec_output(1, "", "Operation not permitted", "");