Skip to main content

Backup Recovery 9 0

2 CVEs product

Monthly

CVE-2026-60095 MEDIUM This Month

Stack buffer overflow in Vinchin Backup & Recovery through 9.0.0.86562 exposes the agentlink_server service to unauthenticated remote exploitation via the ModuleHandShake function. An attacker supplying an oversized _listen_uuid value triggers unsafe strcpy() into a fixed-length stack buffer, overwriting the saved return address and enabling process crash or control flow hijack. No public exploit or active exploitation has been confirmed at time of analysis, though the CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms the attack is network-reachable without authentication or user interaction.

Buffer Overflow Stack Overflow Backup Recovery 9 0
NVD VulDB
CVSS 4.0
6.9
EPSS
0.5%
CVE-2026-60094 MEDIUM This Month

Heap buffer overflow in Vinchin Backup & Recovery through version 9.0.0.86562 allows unauthenticated remote attackers to crash the agentlink_server process or corrupt heap memory without any prior access or user interaction. The agentlink_server service accepts a TCP packet body_len field without bounds validation, passing the attacker-controlled value directly to recv() and enabling heap writes of up to approximately 4 GiB beyond the allocated buffer. This vulnerability is not listed in CISA KEV and no public exploit code is confirmed at time of analysis, though the heap overflow magnitude raises concern for potential code execution beyond simple denial-of-service.

Memory Corruption Buffer Overflow Backup Recovery 9 0
NVD VulDB
CVSS 4.0
6.9
EPSS
0.4%
EPSS 0% CVSS 6.9
MEDIUM This Month

Stack buffer overflow in Vinchin Backup & Recovery through 9.0.0.86562 exposes the agentlink_server service to unauthenticated remote exploitation via the ModuleHandShake function. An attacker supplying an oversized _listen_uuid value triggers unsafe strcpy() into a fixed-length stack buffer, overwriting the saved return address and enabling process crash or control flow hijack. No public exploit or active exploitation has been confirmed at time of analysis, though the CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms the attack is network-reachable without authentication or user interaction.

Buffer Overflow Stack Overflow Backup Recovery 9 0
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM This Month

Heap buffer overflow in Vinchin Backup & Recovery through version 9.0.0.86562 allows unauthenticated remote attackers to crash the agentlink_server process or corrupt heap memory without any prior access or user interaction. The agentlink_server service accepts a TCP packet body_len field without bounds validation, passing the attacker-controlled value directly to recv() and enabling heap writes of up to approximately 4 GiB beyond the allocated buffer. This vulnerability is not listed in CISA KEV and no public exploit code is confirmed at time of analysis, though the heap overflow magnitude raises concern for potential code execution beyond simple denial-of-service.

Memory Corruption Buffer Overflow Backup Recovery 9 0
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy