Vinchin Backup & Recovery agentlink_server Heap Buffer Overflow Vulnerability
Vinchin Backup & Recovery through 9.0.0.86562 contains a heap buffer overflow vulnerability that allows unauthenticated remote attackers to cause process crash or memory corruption by sending a malformed TCP packet with an unchecked body_len field to the agentlink_server service. Attackers can craft a malicious packet that passes an attacker-controlled length directly to recv(), triggering a heap overflow of up to approximately 4 GiB and resulting in process crash or potential memory corruption.
Quick answer
Vinchin Backup & Recovery should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.
Who is affected
Affected versions
- Vinchin Backup & Recovery through 9.0.0.86562
Fixed versions
- Apply the latest vendor-supported patched release
How to fix it
Vinchin Backup & Recovery through 9.0.0.86562 is affected by a heap buffer overflow in agentlink_server through unchecked body_len handling. Upgrade to a patched vendor release and limit network access to backup services. Treat crashes or malformed packet activity as potential compromise indicators for backup infrastructure.
- Inventory Vinchin Backup & Recovery servers and agents running through 9.0.0.86562.
- Upgrade affected systems to the latest vendor-supported patched release.
- Restrict agentlink_server communication to trusted backup subnets and approved agents.
- Block external or user-network access to backup agent ports.
- Review crash logs and packet captures for malformed TCP packets with abnormal body_len values.
- Rotate backup credentials, agent secrets, and repository access keys if suspicious activity is found.
- Verify backup repository integrity before resuming normal operations.
Scan now. Google sign-in is only needed to unlock fix guidance.
Verify the fix
- Confirm affected Vinchin components are upgraded beyond the vulnerable build.
- Validate malformed packets no longer crash agentlink_server in a safe test environment.
- Review service uptime and logs for heap corruption or repeated crashes.
- Test backup, restore, and agent connectivity after patching.
- Run a Fixnx scan and confirm backup administration services are not public.
Related categories
Trusted references
FAQ
What is affected by CVE-2026-60094?
Vinchin Backup & Recovery versions listed as affected should be reviewed: Vinchin Backup & Recovery through 9.0.0.86562.
What should I fix first?
Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.
How do I confirm the fix worked?
Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.
Why can this risk appear in multiple categories?
A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.
