CVE-2026-60094 in Backup & Recovery
Summary
by MITRE • 07/09/2026
Vinchin Backup & Recovery through 9.0.0.86562 contains a heap buffer overflow vulnerability that allows unauthenticated remote attackers to cause process crash or memory corruption by sending a malformed TCP packet with an unchecked body_len field to the agentlink_server service. Attackers can craft a malicious packet that passes an attacker-controlled length directly to recv(), triggering a heap overflow of up to approximately 4 GiB and resulting in process crash or potential memory corruption.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/09/2026
This vulnerability exists within the Vinchin Backup & Recovery software version 9.0.0.86562 where the agentlink_server service fails to properly validate the body_len field in incoming TCP packets. The flaw represents a classic heap buffer overflow condition that occurs when an unchecked length parameter is used to determine buffer allocation size, creating a dangerous scenario where attacker-controlled data directly influences memory operations. The vulnerability specifically manifests when the recv() function receives a malformed packet containing an attacker-controlled body_len value, which bypasses normal input validation mechanisms and allows for arbitrary memory manipulation.
The technical implementation of this flaw follows CWE-121 heap-based buffer overflow patterns where memory is allocated based on user-supplied data without proper bounds checking. When the agentlink_server service processes the malicious TCP packet, it uses the unchecked body_len field to determine how much data to receive and store in heap memory. This creates an exploitable condition where attackers can control both the size of the buffer allocation and potentially overwrite adjacent memory regions, leading to process termination or more severe memory corruption that could be leveraged for code execution. The vulnerability's impact is amplified by the fact that no authentication is required to exploit this condition, making it particularly dangerous in networked environments.
The operational consequences of this vulnerability extend beyond simple service disruption to potential system compromise and data integrity threats. Remote attackers can reliably crash the backup agent service without requiring any credentials or prior access to the system, effectively creating a denial-of-service vector that could impact critical backup operations and business continuity. In scenarios where the software is deployed in enterprise environments with extensive backup infrastructure, this vulnerability could be used to disrupt backup schedules, potentially leaving organizations vulnerable during critical recovery operations. The potential for memory corruption also opens pathways for advanced exploitation techniques that could lead to privilege escalation or arbitrary code execution depending on the system configuration and memory layout.
Mitigation strategies should focus on immediate patch application from the vendor as the primary defense mechanism, since this vulnerability affects core service functionality. Network segmentation and access control measures can help reduce exposure by limiting direct network access to the affected service ports, though this does not eliminate the remote attack surface entirely given the unauthenticated nature of the exploit. Implementing network-based intrusion detection systems that monitor for malformed TCP packets with suspicious body_len values could provide additional defensive layers. Organizations should also consider disabling unnecessary services and applying principle of least privilege configurations to minimize potential impact if exploitation occurs. The vulnerability aligns with ATT&CK technique T1203 (Exploitation for Client Execution) and represents a significant risk for environments relying on backup systems for disaster recovery planning, making proactive remediation essential for maintaining operational resilience.