mediumCVE-2026-60094

Vinchin Backup & Recovery agentlink_server Heap Buffer Overflow Vulnerability

Vinchin Backup & Recovery through 9.0.0.86562 contains a heap buffer overflow vulnerability that allows unauthenticated remote attackers to cause process crash or memory corruption by sending a malformed TCP packet with an unchecked body_len field to the agentlink_server service. Attackers can craft a malicious packet that passes an attacker-controlled length directly to recv(), triggering a heap overflow of up to approximately 4 GiB and resulting in process crash or potential memory corruption.

ProductBackup & Recovery
CVSS6.9
EPSSNot scored yet
UpdatedJuly 10, 2026

Quick answer

Vinchin Backup & Recovery should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • Vinchin Backup & Recovery through 9.0.0.86562

Fixed versions

  • Apply the latest vendor-supported patched release

How to fix it

Vinchin Backup & Recovery through 9.0.0.86562 is affected by a heap buffer overflow in agentlink_server through unchecked body_len handling. Upgrade to a patched vendor release and limit network access to backup services. Treat crashes or malformed packet activity as potential compromise indicators for backup infrastructure.

  1. Inventory Vinchin Backup & Recovery servers and agents running through 9.0.0.86562.
  2. Upgrade affected systems to the latest vendor-supported patched release.
  3. Restrict agentlink_server communication to trusted backup subnets and approved agents.
  4. Block external or user-network access to backup agent ports.
  5. Review crash logs and packet captures for malformed TCP packets with abnormal body_len values.
  6. Rotate backup credentials, agent secrets, and repository access keys if suspicious activity is found.
  7. Verify backup repository integrity before resuming normal operations.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm affected Vinchin components are upgraded beyond the vulnerable build.
  • Validate malformed packets no longer crash agentlink_server in a safe test environment.
  • Review service uptime and logs for heap corruption or repeated crashes.
  • Test backup, restore, and agent connectivity after patching.
  • Run a Fixnx scan and confirm backup administration services are not public.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-60094?

Vinchin Backup & Recovery versions listed as affected should be reviewed: Vinchin Backup & Recovery through 9.0.0.86562.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

Why can this risk appear in multiple categories?

A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.