diff --git a/pkgs/tools/archivers/cpio/default.nix b/pkgs/tools/archivers/cpio/default.nix
index c172edd1fd98..7aeeef7322ee 100644
--- a/pkgs/tools/archivers/cpio/default.nix
+++ b/pkgs/tools/archivers/cpio/default.nix
@@ -11,12 +11,19 @@ in stdenv.mkDerivation {
     sha256 = "0vbgnhkawdllgnkdn6zn1f56fczwk0518krakz2qbwhxmv2vvdga";
   };
 
-  patches = [
-    (fetchpatch {
-      name = "CVE-2021-38185.patch";
-      url = "https://git.savannah.gnu.org/cgit/cpio.git/patch/?id=dd96882877721703e19272fe25034560b794061b";
-      sha256 = "0vmr0qjwj2ldnzsvccl105ckwgx3ssvn9mp3f27ss0kiyigrzz32";
-    })
+  patches = let
+    fp = suffix: rev: sha256: fetchpatch {
+      name = "CVE-2021-38185-${suffix}.patch";
+      url = "https://git.savannah.gnu.org/cgit/cpio.git/patch/?id=${rev}";
+      inherit sha256;
+    };
+  in [
+    (fp "1" "dd96882877721703e19272fe25034560b794061b"
+        "0vmr0qjwj2ldnzsvccl105ckwgx3ssvn9mp3f27ss0kiyigrzz32")
+    (fp "2" "dfc801c44a93bed7b3951905b188823d6a0432c8"
+        "1qkrhi3lbxk6hflp6w3h4sgssc0wblv8r0qgxqzbjrm36pqwxiwh")
+    (fp "3" "236684f6deb3178043fe72a8e2faca538fa2aae1"
+        "0pidkbxalpj5yz4fr95x8h0rizgjij0xgvjgirfkjk460giawwg6")
   ];
 
   preConfigure = if stdenv.isCygwin then ''