diff --git a/httpd-2.4.53-CVE-2022-28614.patch b/httpd-2.4.53-CVE-2022-28614.patch
new file mode 100644
index 0000000..ef2b535
--- /dev/null
+++ b/httpd-2.4.53-CVE-2022-28614.patch
@@ -0,0 +1,61 @@
+From 8c14927162cf3b4f810683e1c5505e9ef9e1f123 Mon Sep 17 00:00:00 2001
+From: Eric Covener <covener@apache.org>
+Date: Wed, 1 Jun 2022 12:34:16 +0000
+Subject: [PATCH] Merge r1901500 from trunk:
+
+handle large writes in ap_rputs
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1901501 13f79535-47bb-0310-9956-ffa450edef68
+---
+ include/http_protocol.h | 22 +++++++++++++++++++++-
+ server/protocol.c       |  3 +++
+ 2 files changed, 24 insertions(+), 1 deletion(-)
+
+diff --git a/include/http_protocol.h b/include/http_protocol.h
+index 20bd2022266..94c481e5f43 100644
+--- a/include/http_protocol.h
++++ b/include/http_protocol.h
+@@ -475,7 +475,27 @@ AP_DECLARE(int) ap_rwrite(const void *buf, int nbyte, request_rec *r);
+  */
+ static APR_INLINE int ap_rputs(const char *str, request_rec *r)
+ {
+-    return ap_rwrite(str, (int)strlen(str), r);
++    apr_size_t len;
++
++    len = strlen(str);
++
++    for (;;) {
++        if (len <= INT_MAX) {
++            return ap_rwrite(str, (int)len, r);
++        }
++        else {
++            int rc;
++
++            rc = ap_rwrite(str, INT_MAX, r);
++            if (rc < 0) {
++                return rc;
++            }
++            else {
++                str += INT_MAX;
++                len -= INT_MAX;
++            }
++        }
++    }
+ }
+ 
+ /**
+diff --git a/server/protocol.c b/server/protocol.c
+index 298f61e1fb8..7adc7f75c10 100644
+--- a/server/protocol.c
++++ b/server/protocol.c
+@@ -2128,6 +2128,9 @@ AP_DECLARE(int) ap_rputc(int c, request_rec *r)
+ 
+ AP_DECLARE(int) ap_rwrite(const void *buf, int nbyte, request_rec *r)
+ {
++    if (nbyte < 0)
++        return -1;
++
+     if (r->connection->aborted)
+         return -1;
+ 
diff --git a/httpd.spec b/httpd.spec
index a168b0d..0059187 100644
--- a/httpd.spec
+++ b/httpd.spec
@@ -122,6 +122,8 @@ Patch200: httpd-2.4.53-CVE-2022-26377.patch
 Patch201: httpd-2.4.53-CVE-2022-28615.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2095020
 Patch202: httpd-2.4.53-CVE-2022-31813.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2095002
+Patch203: httpd-2.4.53-CVE-2022-28614.patch
 
 License: ASL 2.0
 BuildRequires: gcc, autoconf, pkgconfig, findutils, xmlto
@@ -292,6 +294,7 @@ written in the Lua programming language.
 %patch200 -p1 -b .CVE-2022-26377
 %patch201 -p1 -b .CVE-2022-28615
 %patch202 -p1 -b .CVE-2022-31813
+%patch203 -p1 -b .CVE-2022-28614
 
 # Patch in the vendor string
 sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
@@ -858,6 +861,7 @@ exit $rv
   ap_strcmp_match()
 - Resolves: #2098248 - CVE-2022-31813 httpd: mod_proxy: X-Forwarded-For dropped
   by hop-by-hop mechanism
+- Resolves: #2097016 - CVE-2022-28614 httpd: out-of-bounds read via ap_rwrite()
 
 * Mon Jun 27 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.53-6
 - Related: #2065677 - httpd minimisation for ubi-micro