diff --git a/Fix-leak-in-KERB_AP_OPTIONS_CBT-server-support.patch b/Fix-leak-in-KERB_AP_OPTIONS_CBT-server-support.patch
new file mode 100644
index 0000000..54f2550
--- /dev/null
+++ b/Fix-leak-in-KERB_AP_OPTIONS_CBT-server-support.patch
@@ -0,0 +1,59 @@
+From 044e2209586fd1935d9a637df76d52f48c4f3e6e Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Fri, 24 Jul 2020 16:05:24 -0400
+Subject: [PATCH] Fix leak in KERB_AP_OPTIONS_CBT server support
+
+In check_cbt(), use a local variable to hold the retrieved authdata
+list, and free it before returning.
+
+ticket: 8900
+(cherry picked from commit bf2ddff13c178e0c291f8fb382b040080d159e4f)
+---
+ src/lib/gssapi/krb5/accept_sec_context.c | 23 +++++++++++++----------
+ 1 file changed, 13 insertions(+), 10 deletions(-)
+
+diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
+index 175a24c4e..3d5b84b15 100644
+--- a/src/lib/gssapi/krb5/accept_sec_context.c
++++ b/src/lib/gssapi/krb5/accept_sec_context.c
+@@ -433,27 +433,30 @@ static const uint8_t null_cb[CB_MD5_LEN];
+ /* Look for AP_OPTIONS in authdata.  If present and the options include
+  * KERB_AP_OPTIONS_CBT, set *cbt_out to true. */
+ static krb5_error_code
+-check_cbt(krb5_context context, krb5_authdata **authdata,
++check_cbt(krb5_context context, krb5_authdata *const *authdata,
+           krb5_boolean *cbt_out)
+ {
+     krb5_error_code code;
++    krb5_authdata **ad;
+     uint32_t ad_ap_options;
+     const uint32_t KERB_AP_OPTIONS_CBT = 0x4000;
+ 
+     *cbt_out = FALSE;
+ 
+     code = krb5_find_authdata(context, NULL, authdata,
+-                              KRB5_AUTHDATA_AP_OPTIONS, &authdata);
+-    if (code || authdata == NULL)
++                              KRB5_AUTHDATA_AP_OPTIONS, &ad);
++    if (code || ad == NULL)
+         return code;
+-    if (authdata[1] != NULL || authdata[0]->length != 4)
+-        return KRB5KRB_AP_ERR_MSG_TYPE;
++    if (ad[1] != NULL || ad[0]->length != 4) {
++        code = KRB5KRB_AP_ERR_MSG_TYPE;
++    } else {
++        ad_ap_options = load_32_le(ad[0]->contents);
++        if (ad_ap_options & KERB_AP_OPTIONS_CBT)
++            *cbt_out = TRUE;
++    }
+ 
+-    ad_ap_options = load_32_le(authdata[0]->contents);
+-    if (ad_ap_options & KERB_AP_OPTIONS_CBT)
+-        *cbt_out = TRUE;
+-
+-    return 0;
++    krb5_free_authdata(context, ad);
++    return code;
+ }
+ 
+ /*
diff --git a/krb5.spec b/krb5.spec
index 4a61316..7199f35 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.18.2
 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
-Release: 17%{?dist}
+Release: 18%{?dist}
 
 # rharwood has trust path to signing key and verifies on check-in
 Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz
@@ -70,6 +70,7 @@ Patch31: Add-channel-bindings-tests.patch
 Patch32: Use-two-queues-for-concurrent-t_otp.py-daemons.patch
 Patch33: Allow-gss_unwrap_iov-of-unpadded-RC4-tokens.patch
 Patch34: Ignore-bad-enctypes-in-krb5_string_to_keysalts.patch
+Patch35: Fix-leak-in-KERB_AP_OPTIONS_CBT-server-support.patch
 
 License: MIT
 URL: https://web.mit.edu/kerberos/www/
@@ -631,6 +632,9 @@ exit 0
 %{_libdir}/libkadm5srv_mit.so.*
 
 %changelog
+* Tue Aug 04 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-18
+- Fix leak in KERB_AP_OPTIONS_CBT server support
+
 * Mon Aug 03 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-17
 - Revert qualify_shortname removal