diff --git a/SOURCES/0005-Reapply-sysctl-before-rootbld.patch b/SOURCES/0005-Reapply-sysctl-before-rootbld.patch
new file mode 100644
index 0000000..02fe175
--- /dev/null
+++ b/SOURCES/0005-Reapply-sysctl-before-rootbld.patch
@@ -0,0 +1,33 @@
+From 0000000000000000000000000000000000000005 Mon Sep 17 00:00:00 2001
+From: Aleksandra Kachanova <akachanova@cloudlinux.com>
+Date: Mon, 15 Jun 2026 12:00:00 +0000
+Subject: [PATCH] PF-632: re-assert max_user_namespaces before rootbld bwrap
+
+A concurrent, non-isolated RPM build on the same node can run
+`sysctl --system` inside its mock chroot (e.g. cloudlinux-linksafe's
+%posttrans re-applies the el7 base config), which resets the host's
+user.max_user_namespaces to 0. bwrap then fails to create a user
+namespace with the misleading "No space left on device". Re-assert the
+value immediately before invoking bwrap. Best-effort: never fail the
+build if the re-assert is denied.
+---
+ abuild.in | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/abuild.in b/abuild.in
+index 4447b4d..5555555 100644
+--- a/abuild.in
++++ b/abuild.in
+@@ -2636,6 +2636,9 @@ rootbld() {
+ 			printf("%s\n", users[i]) > (root "/passwd")
+ 	}'
+
++	# PF-632: re-assert user.max_user_namespaces before bwrap (a concurrent RPM build's sysctl --system can reset it to 0).
++	sudo -n sysctl -w user.max_user_namespaces=20000 >/dev/null 2>&1 || true
++
+ 	local bwrap_opts=""
+ 	options_has "net" || bwrap_opts="$bwrap_opts --unshare-net"
+ 	bwrap --new-session --unshare-ipc --unshare-uts $bwrap_opts \
+--
+2.43.5
+
diff --git a/SPECS/abuild.spec b/SPECS/abuild.spec
index 3f6d56f..d55cd7a 100644
--- a/SPECS/abuild.spec
+++ b/SPECS/abuild.spec
@@ -1,6 +1,6 @@
 Name:           abuild
 Version:        3.15.0
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        Alpine build tools
 
 License:        GPL-2.0-or-later
@@ -13,6 +13,7 @@ Patch0:         0001-Do-not-build-docs.patch
 Patch1:         0002-Allow-running-abuild-rootbld.patch
 Patch2:         0003-Pass-startdir-as-a-bind-mount.patch
 Patch3:         0004-Backport-b0d3dbe3.patch
+Patch4:         0005-Reapply-sysctl-before-rootbld.patch
 
 BuildRequires:  zlib-devel
 BuildRequires:  make
@@ -58,6 +59,7 @@ abuild is a set of scripts used to build Alpine Linux packages.
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
+%patch4 -p1
 
 %build
 make VERSION=%{version}
@@ -100,5 +102,8 @@ done
 %{_tmpfilesdir}/%{name}.conf
 
 %changelog
+* Mon Jun 15 2026 Aleksandra Kachanova <akachanova@cloudlinux.com> - 3.15.0-2
+- Reapply user.max_user_namespaces sysctl before rootbld bwrap (PF-632)
+
 * Mon Jul 07 2025 Andrew Lukoshko <alukoshko@cloudlinux.com> - 3.15.0-1
 - Initial RPM release