Vinchin Backup & Recovery agentlink_server Stack Buffer Overflow Vulnerability
Vinchin Backup & Recovery through 9.0.0.86562 contains a stack buffer overflow vulnerability in the ModuleHandShake function of the agentlink_server service that allows unauthenticated remote attackers to overwrite the saved return address by supplying an oversized _listen_uuid field that is measured via strlen() and copied without bounds checking into a fixed-length stack buffer using strcpy(). Attackers can send a crafted request with a malicious _listen_uuid value to corrupt the stack and achieve process crash or potential control flow hijack without requiring authentication.
Quick answer
Vinchin Backup & Recovery should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.
Who is affected
Affected versions
- Vinchin Backup & Recovery through 9.0.0.86562
Fixed versions
- Apply the latest vendor-supported patched release
How to fix it
Vinchin Backup & Recovery through 9.0.0.86562 is affected by a stack buffer overflow in agentlink_server. Apply the latest vendor-supported patched release and restrict agent communication ports. Backup infrastructure holds high-value credentials and data paths, so review logs for unauthenticated network attempts.
- Inventory Vinchin Backup & Recovery servers, agents, and versions through 9.0.0.86562.
- Upgrade to the latest vendor-supported patched release.
- Restrict agentlink_server and backup agent communication to trusted backup networks only.
- Block unauthenticated access to backup services from user, internet, or untrusted segments.
- Review agentlink_server logs, crash reports, and network telemetry for oversized _listen_uuid values.
- Rotate backup administrator credentials and agent secrets if exploitation is suspected.
- Validate backup repository integrity and restore points after remediation.
Scan now. Google sign-in is only needed to unlock fix guidance.
Verify the fix
- Confirm Vinchin Backup & Recovery is upgraded beyond the affected build.
- Validate malformed handshake requests no longer crash or corrupt agentlink_server.
- Review logs for unauthenticated exploit attempts and process crashes.
- Test backup, replication, restore, and agent registration workflows after the upgrade.
- Run a Fixnx scan and confirm backup management services are not publicly exposed.
Related categories
Trusted references
FAQ
What is affected by CVE-2026-60095?
Vinchin Backup & Recovery versions listed as affected should be reviewed: Vinchin Backup & Recovery through 9.0.0.86562.
What should I fix first?
Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.
How do I confirm the fix worked?
Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.
Why can this risk appear in multiple categories?
A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.
