CVE-2025-10158

MEDIUM EPSS 20.0%

Published Nov 18, 20257mo ago · Modified Jun 17, 20261w ago

4.3 CVSS 3.1

Medium

Published Nov 18, 2025 7mo ago

Last Modified Jun 17, 2026 1w ago

Description

A malicious client acting as the receiver of an rsync file transfer can trigger an out of bounds read of a heap based buffer, via a negative array index. The malicious rsync client requires at least read access to the remote rsync module in order to trigger the issue.

CVSS Details

Base Score

4.3

Exploitability

2.8

Impact

1.4

Vector string

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Attack Vector Network

Attack Complexity Low

Privileges Required Low

User Interaction None

Scope Unchanged

Confidentiality None

Integrity Low

Availability None

Threat Intelligence

EPSS Exploit Probability

20.0% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-129

References 2

attackerkb.com https://attackerkb.com/assessments/fbacb2a6-d1cd-4011-bb3a-f06b1c8306b1
github.com https://github.com/RsyncProject/rsync/commit/797e17fc4a6f15e3b1756538a9f812b63942686f

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.