Skip to main content

Vinchin Backup Recovery CVE-2026-60094

| EUVDEUVD-2026-42587 MEDIUM
Out-of-bounds Write (CWE-787)
2026-07-09 VulnCheck GHSA-m3jh-5jc7-f446
6.9
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.2 HIGH

Network-accessible unauthenticated service with no conditions; process crash is the confirmed primary impact (A:H); memory corruption introduces limited integrity risk (I:L); no confidentiality impact demonstrated.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 09, 2026 - 13:55 vuln.today

DescriptionCVE.org

Vinchin Backup & Recovery through 9.0.0.86562 contains a heap buffer overflow vulnerability that allows unauthenticated remote attackers to cause process crash or memory corruption by sending a malformed TCP packet with an unchecked body_len field to the agentlink_server service. Attackers can craft a malicious packet that passes an attacker-controlled length directly to recv(), triggering a heap overflow of up to approximately 4 GiB and resulting in process crash or potential memory corruption.

AnalysisAI

Heap buffer overflow in Vinchin Backup & Recovery through version 9.0.0.86562 allows unauthenticated remote attackers to crash the agentlink_server process or corrupt heap memory without any prior access or user interaction. The agentlink_server service accepts a TCP packet body_len field without bounds validation, passing the attacker-controlled value directly to recv() and enabling heap writes of up to approximately 4 GiB beyond the allocated buffer. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify agentlink_server TCP port
Delivery
Craft TCP packet with body_len set to ~4 GiB
Exploit
Send single unauthenticated malformed packet
Execution
recv() writes beyond heap buffer bounds
Impact
Process crash or heap memory corruption achieved

Vulnerability AssessmentAI

Exploitation No special configuration, authentication, or user interaction is required - the CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) and the description both confirm unauthenticated remote exploitation against default Vinchin Backup & Recovery 9.0 deployments where the agentlink_server service is running and network-accessible. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms fully unauthenticated network exploitation with no attack complexity or special configuration conditions, representing worst-case accessibility. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker with TCP network access to the Vinchin agentlink_server port crafts a minimal TCP packet containing a body_len header field set to a large value such as 0xFFFFFFFF (~4 GiB). The service reads the packet header, extracts the attacker-controlled length without validation, and calls recv() with that length against a much smaller heap-allocated buffer, writing network-supplied data far beyond its bounds - immediately crashing the agentlink_server process or corrupting adjacent heap structures in a manner that may be leveraged for further exploitation on systems lacking modern heap mitigations.
Remediation No vendor-released patched version has been independently confirmed from the available references - the fix version is not independently verified at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-60094 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy