Maverick Chung

**Name of the Vulnerable Software and Affected Versions** GNU cpio versions 2.13 and earlier **Description** The issue is caused by an integer overflow in the dstring.c component of the GNU cpio package, specifically in the `ds fgetstr` function. This overflow triggers an out-of-bounds heap write, allowing attackers to execute arbitrary code via a crafted pattern file associated with the -E option. It is unclear whether there are common cases where the pattern file is untrusted data. **Recommendations** For GNU cpio versions 2.13 and earlier, consider disabling the use of crafted pattern files with the -E option until a patch is available. As a temporary workaround, restrict the use of the `ds fgetstr` function in the dstring.c component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.