CVE-2026-60095 in Backup & Recoveryinfo

Summary

by MITRE • 07/09/2026

Vinchin Backup & Recovery through 9.0.0.86562 contains a stack buffer overflow vulnerability in the ModuleHandShake function of the agentlink_server service that allows unauthenticated remote attackers to overwrite the saved return address by supplying an oversized _listen_uuid field that is measured via strlen() and copied without bounds checking into a fixed-length stack buffer using strcpy(). Attackers can send a crafted request with a malicious _listen_uuid value to corrupt the stack and achieve process crash or potential control flow hijack without requiring authentication.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/09/2026

This vulnerability exists within the vinchin backup and recovery software version 9.0.0.86562 where the agentlink_server service exhibits a classic stack buffer overflow condition in the ModuleHandShake function. The flaw stems from improper input validation and memory management practices that allow attackers to manipulate the program's execution flow through crafted network requests. The vulnerability specifically manifests when processing the _listen_uuid field which undergoes length measurement using strlen() before being copied into a fixed-size stack buffer using the dangerous strcpy() function without any bounds checking mechanisms. This fundamental programming error creates an exploitable condition where an attacker can supply an oversized payload that exceeds the allocated buffer space and overwrites adjacent memory locations including the saved return address on the stack.

The technical impact of this vulnerability extends beyond simple process termination as it represents a potential code execution vector that could enable attackers to achieve arbitrary code execution within the context of the affected service. The stack overflow occurs during network communication handling where unauthenticated remote attackers can send specially crafted requests containing malicious _listen_uuid values that trigger the buffer overrun condition. This allows for complete control flow hijacking since the overwritten return address can be manipulated to redirect program execution to attacker-controlled code locations. The vulnerability's classification aligns with common weakness enumeration CWE-121 which describes stack-based buffer overflow conditions, and it maps directly to attack techniques described in the mitre att&ck framework under initial access and execution phases where adversaries exploit software vulnerabilities to gain system control.

The operational impact of this vulnerability is significant as it affects organizations relying on vinchin backup solutions for their data protection infrastructure. Attackers can leverage this weakness to disrupt backup operations, potentially causing complete service outages that compromise disaster recovery capabilities and business continuity planning. The lack of authentication requirements means the attack surface is broad since any network entity can attempt exploitation without prior credentials or access privileges. Organizations running affected versions may experience unauthorized access to backup systems, potential data exfiltration through manipulated backup processes, and overall degradation of their backup infrastructure security posture. The vulnerability essentially provides a backdoor into critical backup operations that could be exploited for more sophisticated attacks including persistent access or further network infiltration.

Mitigation strategies should include immediate software updates from vinchin vendor to address the identified buffer overflow condition and implement network segmentation controls to limit exposure of the affected service to trusted networks only. Organizations should also consider implementing intrusion detection systems capable of identifying suspicious network traffic patterns associated with oversized _listen_uuid fields and deploy application firewalls to filter malicious requests before they reach vulnerable components. Additional protective measures include disabling unnecessary network services, monitoring for abnormal process behavior that might indicate exploitation attempts, and maintaining detailed audit logs of backup service communications. System administrators should also consider applying the principle of least privilege by running the affected service with minimal required permissions and regularly testing backup restoration procedures to ensure continued operational integrity even if the vulnerability is exploited.

Responsible

VulnCheck

Reservation

07/08/2026

Disclosure

07/09/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!