CVE-2026-60094
Received Received - Intake

Heap Buffer Overflow in Vinchin Backup & Recovery

Vulnerability report for CVE-2026-60094, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: VulnCheck

Description

Vinchin Backup & Recovery through 9.0.0.86562 contains a heap buffer overflow vulnerability that allows unauthenticated remote attackers to cause process crash or memory corruption by sending a malformed TCP packet with an unchecked body_len field to the agentlink_server service. Attackers can craft a malicious packet that passes an attacker-controlled length directly to recv(), triggering a heap overflow of up to approximately 4 GiB and resulting in process crash or potential memory corruption.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
vinchin backup_and_recovery 9.0.0.86562
vinchin backup_and_recovery to 9.0.0.86562 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not specify how the heap buffer overflow vulnerability in Vinchin Backup & Recovery affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-60094 is a heap buffer overflow vulnerability in Vinchin Backup & Recovery version 9.0.0.86562 and earlier. It exists in the agentlink_server service and can be exploited by unauthenticated remote attackers.

The vulnerability occurs when an attacker sends a malformed TCP packet with a manipulated body_len field. This length value is passed unchecked to the recv() function, causing a heap overflow of up to approximately 4 GiB.

As a result, the affected process can crash or experience memory corruption.

Impact Analysis

This vulnerability allows unauthenticated remote attackers to cause a process crash or memory corruption in the Vinchin Backup & Recovery software.

Such impacts can lead to denial of service conditions where backup or recovery operations may be interrupted or fail.

Memory corruption could potentially be leveraged for further exploitation, although the primary known impact is process crash.

Detection Guidance

This vulnerability can be detected by monitoring network traffic for malformed TCP packets sent to the agentlink_server service, specifically those with suspicious or manipulated body_len fields that could trigger a heap buffer overflow.

Since the vulnerability involves sending a malformed TCP packet to a specific service, network packet capture tools like tcpdump or Wireshark can be used to inspect incoming packets to the agentlink_server port for abnormal length fields.

  • Use tcpdump to capture packets to the agentlink_server port (replace <port> with the actual port): tcpdump -i <interface> tcp port <port> -w capture.pcap
  • Analyze the captured packets with Wireshark to look for TCP packets with unusual or malformed body_len fields.
  • Monitor the agentlink_server process for crashes or memory corruption symptoms, which may indicate exploitation attempts.
Mitigation Strategies

Immediate mitigation steps include restricting network access to the agentlink_server service to trusted hosts only, such as by using firewall rules to block unauthorized incoming TCP connections.

Additionally, monitoring the service for crashes or abnormal behavior can help detect exploitation attempts early.

Applying any available patches or updates from Vinchin that address this vulnerability is recommended once they become available.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-60094. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart