diff --git a/SPECS/rsync/CVE-2025-10158.patch b/SPECS/rsync/CVE-2025-10158.patch
new file mode 100644
index 00000000000..3081a17d743
--- /dev/null
+++ b/SPECS/rsync/CVE-2025-10158.patch
@@ -0,0 +1,33 @@
+From 19bc086cd5ba49074baf330b8fdd77fb80ff39ae Mon Sep 17 00:00:00 2001
+From: Andrew Tridgell <andrew@tridgell.net>
+Date: Sat, 23 Aug 2025 17:26:53 +1000
+Subject: [PATCH] fixed an invalid access to files array
+
+this was found by Calum Hutton from Rapid7. It is a real bug, but
+analysis shows it can't be leverged into an exploit. Worth fixing
+though.
+
+Many thanks to Calum and Rapid7 for finding and reporting this
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/RsyncProject/rsync/commit/797e17fc4a6f15e3b1756538a9f812b63942686f.patch
+---
+ sender.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sender.c b/sender.c
+index a4d46c3..b1588b7 100644
+--- a/sender.c
++++ b/sender.c
+@@ -262,6 +262,8 @@ void send_files(int f_in, int f_out)
+ 
+ 		if (ndx - cur_flist->ndx_start >= 0)
+ 			file = cur_flist->files[ndx - cur_flist->ndx_start];
++		else if (cur_flist->parent_ndx < 0)
++			exit_cleanup(RERR_PROTOCOL);
+ 		else
+ 			file = dir_flist->files[cur_flist->parent_ndx];
+ 		if (F_PATHNAME(file)) {
+-- 
+2.45.4
+
diff --git a/SPECS/rsync/rsync.spec b/SPECS/rsync/rsync.spec
index e479053dfdb..ddcc9d8ca76 100644
--- a/SPECS/rsync/rsync.spec
+++ b/SPECS/rsync/rsync.spec
@@ -1,13 +1,14 @@
 Summary:        Fast incremental file transfer.
 Name:           rsync
 Version:        3.4.1
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        GPLv3+
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Group:          Appication/Internet
 URL:            https://rsync.samba.org/
 Source0:        https://download.samba.org/pub/rsync/src/%{name}-%{version}.tar.gz
+Patch0:         CVE-2025-10158.patch
 BuildRequires:  lz4-devel
 BuildRequires:  systemd-rpm-macros
 BuildRequires:  zlib-devel
@@ -60,6 +61,9 @@ EOF
 %{_sysconfdir}/rsyncd.conf
 
 %changelog
+* Tue Nov 18 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 3.4.1-2
+- Patch for CVE-2025-10158
+
 * Wed Jan 15 2025 Henry Beberman <henry.beberman@microsoft.com> - 3.4.1-1
 - Upgrade to version 3.4.1 to fix CVE-2024-12084, CVE-2024-12085, CVE-2024-12086, CVE-2024-12087, CVE-2024-12088, CVE-2024-12747