Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-accessible unauthenticated service with no conditions; process crash is the confirmed primary impact (A:H); memory corruption introduces limited integrity risk (I:L); no confidentiality impact demonstrated.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Vinchin Backup & Recovery through 9.0.0.86562 contains a heap buffer overflow vulnerability that allows unauthenticated remote attackers to cause process crash or memory corruption by sending a malformed TCP packet with an unchecked body_len field to the agentlink_server service. Attackers can craft a malicious packet that passes an attacker-controlled length directly to recv(), triggering a heap overflow of up to approximately 4 GiB and resulting in process crash or potential memory corruption.
AnalysisAI
Heap buffer overflow in Vinchin Backup & Recovery through version 9.0.0.86562 allows unauthenticated remote attackers to crash the agentlink_server process or corrupt heap memory without any prior access or user interaction. The agentlink_server service accepts a TCP packet body_len field without bounds validation, passing the attacker-controlled value directly to recv() and enabling heap writes of up to approximately 4 GiB beyond the allocated buffer. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special configuration, authentication, or user interaction is required - the CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) and the description both confirm unauthenticated remote exploitation against default Vinchin Backup & Recovery 9.0 deployments where the agentlink_server service is running and network-accessible. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms fully unauthenticated network exploitation with no attack complexity or special configuration conditions, representing worst-case accessibility. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker with TCP network access to the Vinchin agentlink_server port crafts a minimal TCP packet containing a body_len header field set to a large value such as 0xFFFFFFFF (~4 GiB). The service reads the packet header, extracts the attacker-controlled length without validation, and calls recv() with that length against a much smaller heap-allocated buffer, writing network-supplied data far beyond its bounds - immediately crashing the agentlink_server process or corrupting adjacent heap structures in a manner that may be leveraged for further exploitation on systems lacking modern heap mitigations. |
| Remediation | No vendor-released patched version has been independently confirmed from the available references - the fix version is not independently verified at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Backup Recovery 9 0
View allSame weakness CWE-787 – Out-of-bounds Write
View allSame technique Memory Corruption
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42587
GHSA-m3jh-5jc7-f446