CVE-2025-10158

Published: Nov 18, 2025Modified: Nov 19, 2025

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Exploitability: 2.8 / Impact: 1.4

Source: cve@rapid7.com (Secondary)

Description

A malicious client acting as the receiver of an rsync file transfer can trigger an out of bounds read of a heap based buffer, via a negative array index. The malicious rsync client requires at least read access to the remote rsync module in order to trigger the issue.

Related CWEs

CWE-129

Improper Validation of Array Index

The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.

References (2)

https://attackerkb.com/assessments/fbacb2a6-d1cd-4011-bb3a-f06b1c8306b1

Source: cve@rapid7.com

https://github.com/RsyncProject/rsync/commit/797e17fc4a6f15e3b1756538a9f812b63942686f

Source: cve@rapid7.com

Timeline

No history available yet.