diff --git a/hplip-CVE-2026-8631-osh.patch b/hplip-CVE-2026-8631-osh.patch
new file mode 100644
index 0000000..2f2929e
--- /dev/null
+++ b/hplip-CVE-2026-8631-osh.patch
@@ -0,0 +1,35 @@
+diff --git a/prnt/hpcups/genPCLm.cpp b/prnt/hpcups/genPCLm.cpp
+index 1952ef2..0b3208a 100644
+--- a/prnt/hpcups/genPCLm.cpp
++++ b/prnt/hpcups/genPCLm.cpp
+@@ -1921,8 +1921,11 @@ int  PCLmGenerator::Encapsulate(void *pInBuffer, int inBufferSize, int thisHeigh
+ #ifdef SUPPORT_WHITE_STRIPS
+ 	int whiteStripLen=0;
+ 	if(!safe_mul_int_positive(thisHeight, currSourceWidth, &whiteStripLen) ||
+-	   !safe_mul_int_positive(whiteStripLen, srcNumComponents, &whiteStripLen))
++	   !safe_mul_int_positive(thisHeight, srcNumComponents, &whiteStripLen))
++	{
++		free(newStripPtr);
+ 		return(errorOutAndCleanUp());
++	}
+ 	bool whiteStrip=isWhiteStrip(pInBuffer, whiteStripLen);
+ 	if(DebugIt2)
+ 	{
+@@ -1944,11 +1947,17 @@ int  PCLmGenerator::Encapsulate(void *pInBuffer, int inBufferSize, int thisHeigh
+ 			ubyte whitePt=0xff;
+ 			size_t tmpStripSize=0;
+ 			if(!safe_mul_size_t((size_t)scanlineWidth, (size_t)topMarginInPix, &tmpStripSize))
++			{
++				free(newStripPtr);
+ 				return(errorOutAndCleanUp());
++			}
+ 
+ 			ubyte *tmpStrip=(ubyte*)malloc(tmpStripSize);
+ 			if(!tmpStrip)
++			{
++				free(newStripPtr);
+ 				return(errorOutAndCleanUp());
++			}
+ 			memset(tmpStrip,whitePt,tmpStripSize);
+ 
+ 
diff --git a/hplip.spec b/hplip.spec
index 934ca7e..00c9c99 100644
--- a/hplip.spec
+++ b/hplip.spec
@@ -7,7 +7,7 @@
 Summary: HP Linux Imaging and Printing Project
 Name: hplip
 Version: 3.18.4
-Release: 11%{?dist}
+Release: 12%{?dist}
 License: GPLv2+ and MIT and BSD and IJG and Public Domain and GPLv2+ with exceptions and ISC
 
 Url: https://developers.hp.com/hp-linux-imaging-and-printing
@@ -53,6 +53,8 @@ Patch33: hplip-CVE-2026-8632.patch
 # via integer overflow in hpcups
 # https://redhat.atlassian.net/browse/RHEL-178718
 Patch34: hplip-CVE-2026-8631.patch
+# OSH fixes after CVE-2026-8631
+Patch35: hplip-CVE-2026-8631-osh.patch
 
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 Requires: python3-pillow
@@ -265,6 +267,8 @@ rm prnt/hpcups/ErnieFilter.{cpp,h} prnt/hpijs/ernieplatform.h
 %patch -P 33 -p1 -b .CVE-2026-8632
 # CVE-2026-8631 - integer overflow in hpcups
 %patch -P 34 -p1 -b .CVE-2026-8631
+# OSH fixes after CVE-2026-8631
+%patch -P 35 -p1 -b .CVE-2026-8631-osh
 
 sed -i.duplex-constraints \
     -e 's,\(UIConstraints.* \*Duplex\),//\1,' \
@@ -550,7 +554,10 @@ rm -f %{buildroot}%{_sysconfdir}/xdg/autostart/hplip-systray.desktop
 %config(noreplace) %{_sysconfdir}/sane.d/dll.d/hpaio
 
 %changelog
-* Tue Jun 10 2026 Zdenek Dohnal <zdohnal@redhat.com> - 3.18.4-11
+* Fri Jun 12 2026 Zdenek Dohnal <zdohnal@redhat.com> - 3.18.4-12
+- OSH fixes after CVE-2026-8631
+
+* Tue Jun 09 2026 Zdenek Dohnal <zdohnal@redhat.com> - 3.18.4-11
 - CVE-2026-8631 hplip: Arbitrary code execution and privilege escalation
   via integer overflow in hpcups