{"id":"AZL-6357","summary":"CVE-2021-38185 affecting package cpio for versions less than 2.13-4","details":"GNU cpio through 2.13 allows attackers to execute arbitrary code via a crafted pattern file, because of a dstring.c ds_fgetstr integer overflow that triggers an out-of-bounds heap write. NOTE: it is unclear whether there are common cases where the pattern file, associated with the -E option, is untrusted data.","modified":"2026-04-01T05:20:47.463243Z","published":"2021-08-08T00:15:07Z","upstream":["CVE-2021-38185"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-38185"}],"affected":[{"package":{"name":"cpio","ecosystem":"Azure Linux:2","purl":"pkg:rpm/azure-linux/cpio"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.13-4"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-6357.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}