CVE-2025-10158

medium

Description

A malicious client acting as the receiver of an rsync file transfer can trigger an out of bounds read of a heap based buffer, via a negative array index. The malicious rsync client requires at least read access to the remote rsync module in order to trigger the issue.

References

https://github.com/RsyncProject/rsync/commit/797e17fc4a6f15e3b1756538a9f812b63942686f

https://attackerkb.com/assessments/fbacb2a6-d1cd-4011-bb3a-f06b1c8306b1

Details

Source: Mitre, NVD

Published: 2025-11-18

Updated: 2025-11-19

Risk Information

CVSS v2

Base Score: 4

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 4.3

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Severity: Medium

EPSS

EPSS: 0.00029