diff --git a/ntp-4.2.6p5-cve-2016-2518.patch b/ntp-4.2.6p5-cve-2016-2518.patch
new file mode 100644
index 0000000..ed68938
--- /dev/null
+++ b/ntp-4.2.6p5-cve-2016-2518.patch
@@ -0,0 +1,19 @@
+diff -up ntp-4.2.6p5/ntpd/ntp_request.c.cve-2016-2518 ntp-4.2.6p5/ntpd/ntp_request.c
+--- ntp-4.2.6p5/ntpd/ntp_request.c.cve-2016-2518	2016-04-29 13:41:22.690006470 +0200
++++ ntp-4.2.6p5/ntpd/ntp_request.c	2016-04-29 13:56:12.039936978 +0200
+@@ -1342,7 +1342,6 @@ do_conf(
+ 	memset(&temp_cp, 0, sizeof(struct conf_peer));
+ 	memcpy(&temp_cp, (char *)cp, INFO_ITEMSIZE(inpkt->mbz_itemsize));
+ 
+-#if 0 /* paranoid checking - these are done in newpeer() */
+ 	fl = 0;
+ 	while (items-- > 0 && !fl) {
+ 		if (((temp_cp.version) > NTP_VERSION)
+@@ -1363,7 +1362,6 @@ do_conf(
+ 		req_ack(srcadr, inter, inpkt, INFO_ERR_FMT);
+ 		return;
+ 	}
+-#endif /* end paranoid checking */
+ 
+ 	/*
+ 	 * Looks okay, try it out
diff --git a/ntp.spec b/ntp.spec
index cf8ee38..8817af4 100644
--- a/ntp.spec
+++ b/ntp.spec
@@ -179,6 +179,8 @@ Patch64: ntp-4.2.6p5-linklocal.patch
 Patch65: ntp-4.2.6p5-cve-2016-1548.patch
 # ntpbz #3011
 Patch66: ntp-4.2.6p5-cve-2016-2516.patch
+# ntpbz #3009
+Patch67: ntp-4.2.6p5-cve-2016-2518.patch
 
 # handle unknown clock types
 Patch100: ntpstat-0.2-clksrc.patch
@@ -344,6 +346,7 @@ This package contains NTP documentation in HTML format.
 %patch64 -p1 -b .linklocal
 %patch65 -p1 -b .cve-2016-1548
 %patch66 -p1 -b .cve-2016-2516
+%patch67 -p1 -b .cve-2016-2518
 
 # ntpstat patches
 %patch100 -p1 -b .clksrc