diff --git a/libarchive-3.5.3-Fix-CVE-2022-26280.patch b/libarchive-3.5.3-Fix-CVE-2022-26280.patch
new file mode 100644
index 0000000..1fd9431
--- /dev/null
+++ b/libarchive-3.5.3-Fix-CVE-2022-26280.patch
@@ -0,0 +1,14 @@
+# Patch sources from libarchive upstream
+# Source: https://github.com/libarchive/libarchive/commit/cfaa28168a07ea4a53276b63068f94fce37d6aff
+
+--- libarchive-3.5.3/libarchive/archive_read_support_format_zip.c.old	2022-05-18 08:55:50.861574517 +0000
++++ libarchive-3.5.3/libarchive/archive_read_support_format_zip.c	2022-05-18 08:57:03.049574517 +0000
+@@ -1657,7 +1657,7 @@ zipx_lzma_alone_init(struct archive_read
+ 	 */
+ 
+ 	/* Read magic1,magic2,lzma_params from the ZIPX stream. */
+-	if((p = __archive_read_ahead(a, 9, NULL)) == NULL) {
++	if(zip->entry_bytes_remaining < 9 || (p = __archive_read_ahead(a, 9, NULL)) == NULL) {
+ 		archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
+ 		    "Truncated lzma data");
+ 		return (ARCHIVE_FATAL);
diff --git a/libarchive.spec b/libarchive.spec
index f5d016d..fb1c65d 100644
--- a/libarchive.spec
+++ b/libarchive.spec
@@ -2,7 +2,7 @@
 
 Name:           libarchive
 Version:        3.5.3
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        A library for handling streaming archive formats
 
 License:        BSD
@@ -37,6 +37,8 @@ BuildRequires: make
 # loaded, which breaks the RIPEMD-160 test. This patch disables the RIPEMD-160
 # support explicitly.
 Patch0001: 0001-Drop-rmd160-from-OpenSSL.patch
+# Source: https://github.com/libarchive/libarchive/commit/cfaa28168a07ea4a53276b63068f94fce37d6aff
+Patch2: %{name}-3.5.3-Fix-CVE-2022-26280.patch
 
 
 %description
@@ -222,6 +224,9 @@ run_testsuite
 
 
 %changelog
+* Wed May 18 2022 Lukas Javorsky <ljavorsk@redhat.com> - 3.5.3-2
+- Resolves: CVE-2022-26280
+
 * Mon Feb 14 2022 Lukas Javorsky <ljavorsk@redhat.com> - 3.5.3-1
 - Rebase to version 3.5.3