Medium severity4.3OSV Advisory· Published Nov 18, 2025· Updated Apr 15, 2026

CVE-2025-10158

Description

A malicious client acting as the receiver of an rsync file transfer can trigger an out of bounds read of a heap based buffer, via a negative array index. The

malicious

rsync client requires at least read access to the remote rsync module in order to trigger the issue.

Affected products

RsyncProject/RsyncOSV
Range: mbp_bk_export0, v1.6.4, v1.6.5, …

Patches

797e17fc4a6f

https://github.com/rsyncproject/rsyncvia osv

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

attackerkb.com/assessments/fbacb2a6-d1cd-4011-bb3a-f06b1c8306b1nvd
github.com/RsyncProject/rsync/commit/797e17fc4a6f15e3b1756538a9f812b63942686fnvd

News mentions

No linked articles in our index yet.

cvss	0.280
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000