CVE-2026-60094
Vinchin Backup & Recovery 9.0.0.86562 Heap Buffer Overflow via agentlink_server
CVSS Score
6.5
EPSS Score
0.0%
EPSS Percentile
0th
Vinchin Backup & Recovery through 9.0.0.86562 contains a heap buffer overflow vulnerability that allows unauthenticated remote attackers to cause process crash or memory corruption by sending a malformed TCP packet with an unchecked body_len field to the agentlink_server service. Attackers can craft a malicious packet that passes an attacker-controlled length directly to recv(), triggering a heap overflow of up to approximately 4 GiB and resulting in process crash or potential memory corruption.
| CWE | CWE-787 |
| Vendor | vinchin |
| Product | backup & recovery 9.0 |
| Published | Jul 9, 2026 |
| Last Updated | Jul 9, 2026 |
Stay Ahead of the Next One
Get instant alerts for vinchin backup & recovery 9.0
Be the first to know when new medium vulnerabilities affecting vinchin backup & recovery 9.0 are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low
Affected Versions
Vinchin / Backup & Recovery 9.0
0 โค 9.0.0.86562
References
Credits
CODE WHITE GmbH