diff --git a/cups-ppdopen-heap-overflow.patch b/cups-ppdopen-heap-overflow.patch
new file mode 100644
index 0000000..4b725e1
--- /dev/null
+++ b/cups-ppdopen-heap-overflow.patch
@@ -0,0 +1,42 @@
+diff --git a/cups/ppd.c b/cups/ppd.c
+index ff52df2e..199cf034 100644
+--- a/cups/ppd.c
++++ b/cups/ppd.c
+@@ -1719,8 +1719,7 @@ _ppdOpen(
+                      constraint->choice1, constraint->option2,
+ 		     constraint->choice2))
+       {
+-        case 0 : /* Error */
+-	case 1 : /* Error */
++        default : /* Error */
+ 	    pg->ppd_status = PPD_BAD_UI_CONSTRAINTS;
+ 	    goto error;
+ 
+diff --git a/ppdc/ppdc-source.cxx b/ppdc/ppdc-source.cxx
+index c25d4966..236c00db 100644
+--- a/ppdc/ppdc-source.cxx
++++ b/ppdc/ppdc-source.cxx
+@@ -1743,15 +1743,17 @@ ppdcSource::get_resolution(ppdcFile *fp)// I - File to read
+ 
+   switch (sscanf(name, "%dx%d", &xdpi, &ydpi))
+   {
+-    case 0 :
+-        _cupsLangPrintf(stderr,
+-	                _("ppdc: Bad resolution name \"%s\" on line %d of "
+-			  "%s."), name, fp->line, fp->filename);
+-        break;
+     case 1 :
+         ydpi = xdpi;
+ 	break;
+-  }
++    case 2 :
++        break;
++    default :
++        _cupsLangPrintf(stderr,
++                  _("ppdc: Bad resolution name \"%s\" on line %d of "
++        "%s."), name, fp->line, fp->filename);
++        break;
++}
+ 
+   // Create the necessary PS commands...
+   snprintf(command, sizeof(command),
diff --git a/cups.spec b/cups.spec
index 10b7f05..d98329a 100644
--- a/cups.spec
+++ b/cups.spec
@@ -15,7 +15,7 @@ Summary: CUPS printing system
 Name: cups
 Epoch: 1
 Version: 2.3.1
-Release: 8%{?dist}
+Release: 9%{?dist}
 License: ASL 2.0 with exceptions for GPL2/LGPL2
 Url: http://www.cups.org/
 Source0: https://github.com/apple/cups/releases/download/v%{VERSION}/cups-%{VERSION}-source.tar.gz
@@ -95,6 +95,8 @@ Patch22: cups-autostart-when-enabled.patch
 Patch100: cups-lspp.patch
 
 #### UPSTREAM PATCHES ####
+# 1826330 - CVE-2020-3898 cups: heap based buffer overflow in libcups's ppdFindOption() in ppd-mark.c
+Patch23: cups-ppdopen-heap-overflow.patch
 
 ##### Patches removed because IMHO they aren't no longer needed
 ##### but still I'll leave them in git in case their removal
@@ -301,6 +303,8 @@ to CUPS daemon. This solution will substitute printer drivers and raw queues in 
 %patch22 -p1 -b .autostart-when-enabled
 
 #### UPSTREAMED PATCHES ####
+# 1826330 - CVE-2020-3898 cups: heap based buffer overflow in libcups's ppdFindOption() in ppd-mark.c
+%patch23 -p1 -b .ppdopen-heap-overflow
 
 # removed dbus patch - seems breaking things
 # Fix implementation of com.redhat.PrinterSpooler D-Bus object.
@@ -727,6 +731,9 @@ rm -f %{cups_serverbin}/backend/smb
 %{_mandir}/man7/ippevepcl.7.gz
 
 %changelog
+* Tue Apr 21 2020 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.1-9
+- 1826330 - CVE-2020-3898 cups: heap based buffer overflow in libcups's ppdFindOption() in ppd-mark.c
+
 * Wed Apr 08 2020 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.1-8
 - 1822154 - cups.service doesn't execute automatically on request