CVE-2025-10158 MEDIUM

CVE-2025-10158: Rsync: Out of bounds array access via negative index

Vendor Rsync
Product rsync
Weakness CWE-129
Published November 18, 2025
Last update November 19, 2025

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

A malicious client acting as the receiver of an rsync file transfer can trigger an out of bounds read of a heap based buffer, via a negative array index. The malicious rsync client requires at least read access to the remote rsync module in order to trigger the issue.

Key dates

02Disclosure timeline

November 18, 2025 CVE published
November 19, 2025 Record updated