diff --git a/avoid-overflow-on-32bit-system-when-reading-nikon-makernotes.patch b/avoid-overflow-on-32bit-system-when-reading-nikon-makernotes.patch
new file mode 100644
index 0000000..02fa8c7
--- /dev/null
+++ b/avoid-overflow-on-32bit-system-when-reading-nikon-makernotes.patch
@@ -0,0 +1,30 @@
+From 93003b93e50b3d259bd2227d8775b73a53c35d58 Mon Sep 17 00:00:00 2001
+From: Marcus Meissner <meissner@suse.de>
+Date: Fri, 3 Apr 2026 11:18:47 +0200
+Subject: [PATCH] Avoid overflow on 32bit system when reading Nikon MakerNotes
+
+The addition o2 = datao + exif_get_long(buf + o2, n->order)
+could have overflowed on systems with 32bit unsigned int size_t.
+
+This could have caused out of bound reads of data, leading to
+misparsing of exif / crashes.
+
+Reported-By: Kerwin <kerwinxia66001@gmail.com>
+---
+ libexif/olympus/exif-mnote-data-olympus.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/libexif/olympus/exif-mnote-data-olympus.c b/libexif/olympus/exif-mnote-data-olympus.c
+index 428f365..37f08ff 100644
+--- a/libexif/olympus/exif-mnote-data-olympus.c
++++ b/libexif/olympus/exif-mnote-data-olympus.c
+@@ -386,6 +386,7 @@ exif_mnote_data_olympus_load (ExifMnoteData *en,
+ 		o2 += 2;
+
+ 		/* Go to where the number of entries is. */
++		if (CHECKOVERFLOW(o2,buf_size,exif_get_long (buf + o2, n->order))) return;
+ 		o2 = datao + exif_get_long (buf + o2, n->order);
+ 		break;
+
+--
+2.53.0
diff --git a/fixed-2-unsigned-integer-underflows.patch b/fixed-2-unsigned-integer-underflows.patch
new file mode 100644
index 0000000..4c21e61
--- /dev/null
+++ b/fixed-2-unsigned-integer-underflows.patch
@@ -0,0 +1,41 @@
+From dc6eac6e9655d14d0779d99e82d0f5f442d2f34b Mon Sep 17 00:00:00 2001
+From: Marcus Meissner <meissner@suse.de>
+Date: Thu, 2 Apr 2026 13:26:31 +0200
+Subject: [PATCH] fixed 2 unsigned integer underflows
+
+this could cause crashes or data leaks.
+
+Reported-by: Kerwin <kerwinxia66001@gmail.com>
+---
+ libexif/fuji/exif-mnote-data-fuji.c       | 2 +-
+ libexif/olympus/exif-mnote-data-olympus.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libexif/fuji/exif-mnote-data-fuji.c b/libexif/fuji/exif-mnote-data-fuji.c
+index c28c541..2dcb877 100644
+--- a/libexif/fuji/exif-mnote-data-fuji.c
++++ b/libexif/fuji/exif-mnote-data-fuji.c
+@@ -70,7 +70,7 @@ exif_mnote_data_fuji_get_value (ExifMnoteData *d, unsigned int i, char *val, uns
+ 	ExifMnoteDataFuji *n = (ExifMnoteDataFuji *) d;
+
+ 	if (!d || !val) return NULL;
+-	if (i > n->count -1) return NULL;
++	if (i >= n->count) return NULL;
+ /*
+ 	exif_log (d->log, EXIF_LOG_CODE_DEBUG, "ExifMnoteDataFuji",
+ 		  "Querying value for tag '%s'...",
+diff --git a/libexif/olympus/exif-mnote-data-olympus.c b/libexif/olympus/exif-mnote-data-olympus.c
+index a57af17..428f365 100644
+--- a/libexif/olympus/exif-mnote-data-olympus.c
++++ b/libexif/olympus/exif-mnote-data-olympus.c
+@@ -78,7 +78,7 @@ exif_mnote_data_olympus_get_value (ExifMnoteData *d, unsigned int i, char *val,
+ 	ExifMnoteDataOlympus *n = (ExifMnoteDataOlympus *) d;
+
+ 	if (!d || !val) return NULL;
+-	if (i > n->count -1) return NULL;
++	if (i >= n->count) return NULL;
+ /*
+ 	exif_log (d->log, EXIF_LOG_CODE_DEBUG, "ExifMnoteDataOlympus",
+ 		  "Querying value for tag '%s'...",
+--
+2.53.0
diff --git a/libexif.spec b/libexif.spec
index d4a553f..f535ac1 100644
--- a/libexif.spec
+++ b/libexif.spec
@@ -1,7 +1,7 @@
 Summary:	Library for extracting extra information from image files
 Name:		libexif
 Version:	0.6.22
-Release:	6%{?dist}
+Release:	7%{?dist}
 License:	LGPLv2+
 URL:		https://libexif.github.io/
 %global tarball_version %(echo %{version} | sed -e 's|\\.|_|g')
@@ -12,6 +12,13 @@ Patch0:         CVE-2020-0181-CVE-2020-0198.patch
 # https://github.com/libexif/libexif/commit/9266d14b5ca4e29b970fa03272318e5f99386e06
 Patch1:         CVE-2020-0452.patch
 
+# CVE-2026-40386
+# https://github.com/libexif/libexif/commit/dc6eac6e9655d14d0779d99e82d0f5f442d2f34b
+# CVE-2026-40385
+# https://github.com/libexif/libexif/commit/93003b93e50b3d259bd2227d8775b73a53c35d58
+Patch:          fixed-2-unsigned-integer-underflows.patch
+Patch:          avoid-overflow-on-32bit-system-when-reading-nikon-makernotes.patch
+
 BuildRequires:	autoconf
 BuildRequires:	automake
 BuildRequires:	doxygen
@@ -83,6 +90,11 @@ make check
 
 
 %changelog
+* Thu May 07 2026 Jan Grulich <jgrulich@redhat.com> - 0.6.22-7
+- Fix integer underflow in MakerNote decoding (CVE-2026-40386)
+- Fix integer overflow in Nikon MakerNote handling (CVE-2026-40385)
+  Resolves: RHEL-170254, RHEL-170235
+
 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 0.6.22-6
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
   Related: rhbz#1991688