diff --git a/bind-9.16-isc_hp-CVE-2023-50387.patch b/bind-9.16-isc_hp-CVE-2023-50387.patch
new file mode 100644
index 0000000..806e29e
--- /dev/null
+++ b/bind-9.16-isc_hp-CVE-2023-50387.patch
@@ -0,0 +1,66 @@
+From 103b09187466b2afbff7e204d166d21e2fbb057c Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Wed, 21 Feb 2024 11:54:27 +0100
+Subject: [PATCH] Downstream specific changes related to KeyTrap
+
+Fix for CVE-2023-50387 introduced new additional thread. But because
+isc_hp functions were removed from later bind 9.16 release, their
+changes did not contain increase of hazard pointers max thread limit.
+To prevent obscure memory corruption increase thread max size.
+
+In addition place at least few INSISTs to check this is catched before
+random memory overwrites begins. It would be quite difficult to track
+without any check.
+---
+ lib/isc/hp.c       | 3 +++
+ lib/isc/managers.c | 5 +++--
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/lib/isc/hp.c b/lib/isc/hp.c
+index 92d160b..5f9bbf7 100644
+--- a/lib/isc/hp.c
++++ b/lib/isc/hp.c
+@@ -138,6 +138,7 @@ isc_hp_destroy(isc_hp_t *hp) {
+ 
+ void
+ isc_hp_clear(isc_hp_t *hp) {
++	INSIST(tid() < isc__hp_max_threads);
+ 	for (int i = 0; i < hp->max_hps; i++) {
+ 		atomic_store_release(&hp->hp[tid()][i], 0);
+ 	}
+@@ -152,6 +153,7 @@ uintptr_t
+ isc_hp_protect(isc_hp_t *hp, int ihp, atomic_uintptr_t *atom) {
+ 	uintptr_t n = 0;
+ 	uintptr_t ret;
++	INSIST(tid() < isc__hp_max_threads);
+ 	while ((ret = atomic_load(atom)) != n) {
+ 		atomic_store(&hp->hp[tid()][ihp], ret);
+ 		n = ret;
+@@ -173,6 +175,7 @@ isc_hp_protect_release(isc_hp_t *hp, int ihp, atomic_uintptr_t ptr) {
+ 
+ void
+ isc_hp_retire(isc_hp_t *hp, uintptr_t ptr) {
++	INSIST(tid() < isc__hp_max_threads);
+ 	hp->rl[tid()]->list[hp->rl[tid()]->size++] = ptr;
+ 	INSIST(hp->rl[tid()]->size < isc__hp_max_retired);
+ 
+diff --git a/lib/isc/managers.c b/lib/isc/managers.c
+index c39a650..3bdca99 100644
+--- a/lib/isc/managers.c
++++ b/lib/isc/managers.c
+@@ -25,9 +25,10 @@ isc_managers_create(isc_mem_t *mctx, size_t workers, size_t quantum,
+ 
+ 	/*
+ 	 * We have ncpus network threads, ncpus old network threads - make
+-	 * it 4x just to be on the safe side.
++	 * it 4x just to be on the safe side. One additional for slow netmgr
++	 * thread.
+ 	 */
+-	isc_hp_init(4 * workers);
++	isc_hp_init(5 * workers);
+ 
+ 	REQUIRE(netmgrp != NULL && *netmgrp == NULL);
+ 	isc__netmgr_create(mctx, workers, &netmgr);
+-- 
+2.43.2
+
diff --git a/bind.spec b/bind.spec
index 48553c6..9525c6b 100644
--- a/bind.spec
+++ b/bind.spec
@@ -148,6 +148,8 @@ Patch200: bind-9.16-CVE-2023-4408-test2.patch
 Patch201: bind-9.16-system-test-cds.patch
 # https://gitlab.isc.org/isc-projects/bind9/commit/32779aba8a0a5f852c611f44ecbeab5aab633e34
 Patch202: bind-9.16-isc-mempool-attach.patch
+# Downstream only change, complements patch 198
+Patch203: bind-9.16-isc_hp-CVE-2023-50387.patch
 
 %{?systemd_ordering}
 Requires:       coreutils
@@ -479,6 +481,7 @@ in HTML and PDF format.
 %patch200 -p1
 %patch201 -p1 -b .test-variant-def
 %patch202 -p1 -b .mempool-attach
+%patch203 -p1 -b .isc_hp-CVE-2023-50387
 
 %if %{with PKCS11}
 %patch135 -p1 -b .config-pkcs11
@@ -1209,6 +1212,7 @@ fi;
 %changelog
 * Mon Feb 19 2024 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-17
 - Import tests for large DNS messages fix
+- Add downstream change complementing CVE-2023-50387
 
 * Mon Feb 12 2024 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-16
 - Prevent increased CPU load on large DNS messages (CVE-2023-4408)