diff --git a/xen.spec b/xen.spec
index ffb650d..3f5c8ed 100644
--- a/xen.spec
+++ b/xen.spec
@@ -58,7 +58,7 @@
 Summary: Xen is a virtual machine monitor
 Name:    xen
 Version: 4.14.3
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2+ and LGPLv2+ and BSD
 URL:     http://xen.org/
 Source0: https://downloads.xenproject.org/release/xen/%{version}/xen-%{version}.tar.gz
@@ -118,6 +118,7 @@ Patch47: xen.git-d6627cf1b63ce57a6a7e2c1800dbc50eed742c32.patch
 Patch48: xen.git-d8099d94dfaa3573bd86ebfc457cbc8f70a3ecda.patch
 Patch49: xen.git-8169f82049efb5b2044b33aa482ba3a136b7804d.patch
 Patch50: xsa363.patch
+Patch51: xsa386.patch
 
 
 %if %build_qemutrad
@@ -332,6 +333,7 @@ manage Xen virtual machines.
 %patch48 -p1
 %patch49 -p1
 %patch50 -p1
+%patch51 -p1
 
 # qemu-xen-traditional patches
 pushd tools/qemu-xen-traditional
@@ -938,6 +940,10 @@ fi
 %endif
 
 %changelog
+* Wed Oct 06 2021 Michael Young <m.a.young@durham.ac.uk> - 4.14.3-2
+- PCI devices with RMRRs not deassigned correctly [XSA-386, CVE-2021-28702]
+	(#2011248)
+
 * Mon Sep 13 2021 Michael Young <m.a.young@durham.ac.uk> - 4.14.3-1
 - update to xen-4.14.3
   remove or adjust patches now included or superceded upstream
diff --git a/xsa386.patch b/xsa386.patch
new file mode 100644
index 0000000..83f24d3
--- /dev/null
+++ b/xsa386.patch
@@ -0,0 +1,29 @@
+From: Jan Beulich <jbeulich@suse.com>
+Subject: VT-d: fix deassign of device with RMRR
+Date: Fri, 1 Oct 2021 15:05:42 +0200
+
+Ignoring a specific error code here was not meant to short circuit
+deassign to _just_ the unmapping of RMRRs. This bug was previously
+hidden by the bogus (potentially indefinite) looping in
+pci_release_devices(), until f591755823a7 ("IOMMU/PCI: don't let domain
+cleanup continue when device de-assignment failed") fixed that loop.
+
+This is CVE-2021-28702 / XSA-386.
+
+Fixes: 8b99f4400b69 ("VT-d: fix RMRR related error handling")
+Reported-by: Ivan Kardykov <kardykov@tabit.pro>
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Tested-by: Ivan Kardykov <kardykov@tabit.pro>
+
+--- a/xen/drivers/passthrough/vtd/iommu.c
++++ b/xen/drivers/passthrough/vtd/iommu.c
+@@ -2409,7 +2409,7 @@ static int reassign_device_ownership(
+                 ret = iommu_identity_mapping(source, p2m_access_x,
+                                              rmrr->base_address,
+                                              rmrr->end_address, 0);
+-                if ( ret != -ENOENT )
++                if ( ret && ret != -ENOENT )
+                     return ret;
+             }
+     }
+