PatchSiren cyber security CVE debrief
CVE-2026-60094 Vinchin CVE debrief
CVE-2026-60094 is a heap buffer overflow vulnerability in Vinchin Backup & Recovery through 9.0.0.86562. The vulnerability allows unauthenticated remote attackers to cause process crash or memory corruption by sending a malformed TCP packet with an unchecked body_len field to the agentlink_server service. This issue has a significant impact on network-based services and requires immediate attention to prevent potential exploitation.
- Vendor
- Vinchin
- Product
- Backup & Recovery 9.0
- CVSS
- MEDIUM 6.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-09
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-09
- Advisory updated
- 2026-07-10
Who should care
Users of Vinchin Backup & Recovery through 9.0.0.86562 should apply the vendor's remediation to prevent potential memory corruption or process crashes. Additionally, administrators and security teams responsible for managing and securing backup and recovery systems should be aware of this vulnerability and take necessary actions to mitigate the risk.
Technical summary
The vulnerability exists in the agentlink_server service of Vinchin Backup & Recovery. An unauthenticated remote attacker can send a crafted TCP packet with a malicious body_len field, which is not properly checked, leading to a heap buffer overflow. This overflow can cause the process to crash or potentially corrupt memory. The attack vector is network-based, and no user interaction is required. Affected systems should be updated with the vendor's official remediation to prevent exploitation.
Defensive priority
Medium
Recommended defensive actions
- Apply the vendor's official remediation for Vinchin Backup & Recovery through 9.0.0.86562.
- Restrict access to the agentlink_server service to only trusted networks or implement additional monitoring.
- Perform regular inventory checks to ensure all instances of Vinchin Backup & Recovery are updated.
- Consider implementing compensating controls such as network segmentation or intrusion detection systems.
- Monitor for any suspicious network activity related to the agentlink_server service.
Evidence notes
The CVE record was published on 2026-07-09T14:16:35.247Z and last modified on 2026-07-10T17:41:47.303Z. The NVD entry is currently Deferred. The vulnerability was disclosed by Code White and reported by [email protected]. The CVE details are based on information from official sources, including CVE.org and the NVD.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-09T14:16:35.247Z and has not been modified since then. The NVD entry is currently Deferred.