diff --git a/0001-tpm2-Return-TPM_RC_VALUE-upon-decryption-failure.patch b/0001-tpm2-Return-TPM_RC_VALUE-upon-decryption-failure.patch
new file mode 100644
index 0000000..28ad2b9
--- /dev/null
+++ b/0001-tpm2-Return-TPM_RC_VALUE-upon-decryption-failure.patch
@@ -0,0 +1,31 @@
+From 1b0b41293a0d49ff8063542fcb3a5ee1d4e10f7e Mon Sep 17 00:00:00 2001
+From: Stefan Berger <stefanb@linux.ibm.com>
+Date: Mon, 29 Jul 2024 10:19:00 -0400
+Subject: [PATCH] tpm2: Return TPM_RC_VALUE upon decryption failure
+
+When decryption fails then return TPM_RC_VALUE rather than TPM_RC_FAILURE.
+The old error code could indicate to an application or driver that
+something is wrong with the TPM (has possibly gone into failure mode) even
+though only the decryption failed, possibly due to a wrong key.
+
+Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
+---
+ src/tpm2/crypto/openssl/CryptRsa.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/tpm2/crypto/openssl/CryptRsa.c b/src/tpm2/crypto/openssl/CryptRsa.c
+index b5d6b6c3..88ee3bac 100644
+--- a/src/tpm2/crypto/openssl/CryptRsa.c
++++ b/src/tpm2/crypto/openssl/CryptRsa.c
+@@ -1457,7 +1457,7 @@ CryptRsaDecrypt(
+     outlen = sizeof(buffer);
+     if (EVP_PKEY_decrypt(ctx, buffer, &outlen,
+                          cIn->buffer, cIn->size) <= 0)
+-        ERROR_RETURN(TPM_RC_FAILURE);
++        ERROR_RETURN(TPM_RC_VALUE);
+ 
+     if (outlen > dOut->size)
+         ERROR_RETURN(TPM_RC_FAILURE);
+-- 
+2.41.0.28.gd7d8841f67
+
diff --git a/libtpms.spec b/libtpms.spec
index fee500b..b8cb253 100644
--- a/libtpms.spec
+++ b/libtpms.spec
@@ -3,7 +3,7 @@
 
 Name:           libtpms
 Version:        0.9.1
-Release:        3.%{gitdate}git%{gitversion}%{?dist}
+Release:        4.%{gitdate}git%{gitversion}%{?dist}
 
 Summary: Library providing Trusted Platform Module (TPM) functionality
 License:        BSD
@@ -13,6 +13,7 @@ Patch0001:      0001-tpm2-Do-not-call-EVP_PKEY_CTX_set0_rsa_oaep_label-fo.patch
 Patch0002:      0001-tpm2-Fix-size-check-in-CryptSecretDecrypt.patch
 Patch0003:      0001-tpm2-When-writing-state-initialize-s_ContextSlotMask.patch
 Patch0004:      0001-tpm2-Check-size-of-buffer-before-accessing-it-CVE-20.patch
+Patch0005:      0001-tpm2-Return-TPM_RC_VALUE-upon-decryption-failure.patch
 
 BuildRequires:  openssl-devel
 BuildRequires:  pkgconfig gawk sed
@@ -59,6 +60,10 @@ find %{buildroot} -type f -name '*.la' | xargs rm -f -- || :
 %{_mandir}/man3/*
 
 %changelog
+* Wed Sep 04 2024 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.9.1-4.20211126git1ff6fe1f43
+- Backport "tpm2: Return TPM_RC_VALUE upon decryption failure"
+  Resolves: RHEL-58056
+
 * Wed Mar 01 2023 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.9.1-3.20211126git1ff6fe1f43
 - Backport "tpm2: Check size of buffer before accessing it" (CVE-2023-1017 & CVE-2023-1018)
   Resolves: rhbz#2173960