PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-60095 Vinchin CVE debrief

CVE-2026-60095 is a stack buffer overflow vulnerability in Vinchin Backup & Recovery through 9.0.0.86562. The vulnerability exists in the ModuleHandShake function of the agentlink_server service, allowing unauthenticated remote attackers to overwrite the saved return address by supplying an oversized _listen_uuid field. This can lead to process crashes or potential control flow hijacks. Users of Vinchin Backup & Recovery through 9.0.0.86562 should apply the vendor's remediation to prevent potential process crashes or control flow hijacks. The vulnerability has a CVSS score of 6.9 and a severity of MEDIUM.

Vendor
Vinchin
Product
Backup & Recovery 9.0
CVSS
MEDIUM 6.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-09
Original CVE updated
2026-07-10
Advisory published
2026-07-09
Advisory updated
2026-07-10

Who should care

Users of Vinchin Backup & Recovery through 9.0.0.86562 should apply the vendor's remediation to prevent potential process crashes or control flow hijacks. Operators, platform administrators, vulnerability management teams, and security teams should review the official advisory and CVE record to validate affected scope, severity, and vendor guidance.

Technical summary

The vulnerability exists in the ModuleHandShake function of the agentlink_server service. An oversized _listen_uuid field, measured via strlen() and copied without bounds checking into a fixed-length stack buffer using strcpy(), allows unauthenticated remote attackers to corrupt the stack. This can lead to process crashes or potential control flow hijacks. The affected product is Vinchin Backup & Recovery through 9.0.0.86562.

Defensive priority

Medium

Recommended defensive actions

  • Apply the vendor's remediation for Vinchin Backup & Recovery through 9.0.0.86562.
  • Inventory and verify the version of Vinchin Backup & Recovery in use.
  • Implement compensating controls, such as network segmentation and monitoring.
  • Review relevant monitoring, detection, and logs for exposed assets that need extra review.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.

Evidence notes

The CVE record was published on 2026-07-09T14:16:35.390Z and was last modified on 2026-07-10T17:41:47.303Z. The NVD entry is currently Deferred. The source details are limited, and further verification is needed to confirm the affected scope and severity. Defenders should verify the vendor's remediation and apply it to prevent potential process crashes or control flow hijacks. Additional review of the official advisory and CVE record is recommended to validate affected scope, severity, and vendor guidance.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-09T14:16:35.390Z and has not been modified since then. The NVD entry is currently Deferred.