diff --git a/0016-Dav-destination-length-validation-for-COPY-and-MOVE.patch b/0016-Dav-destination-length-validation-for-COPY-and-MOVE.patch
new file mode 100644
index 0000000..615a70b
--- /dev/null
+++ b/0016-Dav-destination-length-validation-for-COPY-and-MOVE.patch
@@ -0,0 +1,31 @@
+diff --git a/src/http/modules/ngx_http_dav_module.c b/src/http/modules/ngx_http_dav_module.c
+index cfb9892..6bf438a 100644
+--- a/src/http/modules/ngx_http_dav_module.c
++++ b/src/http/modules/ngx_http_dav_module.c
+@@ -548,6 +548,7 @@ ngx_http_dav_copy_move_handler(ngx_http_request_t *r)
+     ngx_ext_rename_file_t     ext;
+     ngx_http_dav_copy_ctx_t   copy;
+     ngx_http_dav_loc_conf_t  *dlcf;
++    ngx_http_core_loc_conf_t  *clcf;
+ 
+     if (r->headers_in.content_length_n > 0 || r->headers_in.chunked) {
+         ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
+@@ -644,6 +645,18 @@ destination_done:
+         return NGX_HTTP_CONFLICT;
+     }
+ 
++    clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);
++
++    if (clcf->alias
++        && clcf->alias != NGX_MAX_SIZE_T_VALUE
++        && duri.len < clcf->alias)
++    {
++        ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
++                      "client sent invalid \"Destination\" header: \"%V\"",
++                      &dest->value);
++        return NGX_HTTP_BAD_REQUEST;
++    }
++
+     depth = ngx_http_dav_depth(r, NGX_HTTP_DAV_INFINITY_DEPTH);
+ 
+     if (depth != NGX_HTTP_DAV_INFINITY_DEPTH) {
diff --git a/nginx.spec b/nginx.spec
index 2c47dda..4244a2c 100644
--- a/nginx.spec
+++ b/nginx.spec
@@ -41,7 +41,7 @@
 Name:              nginx
 Epoch:             2
 Version:           1.20.1
-Release:           28%{?dist}
+Release:           29%{?dist}
 
 Summary:           A high performance web server and reverse proxy server
 # BSD License (two clause)
@@ -123,6 +123,11 @@ Patch14:           0014-Clarify-binding-behavior-of-t-option.patch
 # upstream patch - https://github.com/nginx/nginx/commit/784fa05025cb8cd0c770f99bc79d2794b9f85b6e
 Patch15:           0015-Upstream-detect-premature-plain-text-response-from-S.patch
 
+# https://redhat.atlassian.net/browse/RHEL-159563
+# upstream patch - https://github.com/nginx/nginx/commit/a1d18284e0a17
+# whitespace were removed from the patch
+Patch16:           0016-Dav-destination-length-validation-for-COPY-and-MOVE.patch
+
 BuildRequires:     make
 BuildRequires:     gcc
 BuildRequires:     gnupg2
@@ -639,6 +644,10 @@ fi
 
 
 %changelog
+* Tue Apr 14 2026 Petr Dancak <pdancak@redhat.com> - 2:1.20.1-29
+- Resolves: RHEL-159563 - CVE-2026-27654 nginx: NGINX: Denial of Service
+  or file modification via buffer overflow in ngx_http_dav_module
+
 * Tue Feb 17 2026 Luboš Uhliarik <luhliari@redhat.com> - 2:1.20.1-28
 - Resolves: RHEL-146528 - CVE-2026-1642 nginx: NGINX: Data injection via
   man-in-the-middle attack on TLS proxied connection