diff --git a/libxml2-2.12.5-CVE-2024-40896.patch b/libxml2-2.12.5-CVE-2024-40896.patch
new file mode 100644
index 0000000..aa28523
--- /dev/null
+++ b/libxml2-2.12.5-CVE-2024-40896.patch
@@ -0,0 +1,37 @@
+From 4c2b237174539db92f4504fbc5198d2f1561baca Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sat, 6 Jul 2024 01:03:46 +0200
+Subject: [PATCH] [CVE-2024-40896] Fix XXE protection in downstream code
+
+Some users set an entity's children manually in the getEntity SAX
+callback to restrict entity expansion. This stopped working after
+renaming the "checked" member of xmlEntity, making at least one
+downstream project and its dependants susceptible to XXE attacks.
+
+See #761.
+---
+ parser.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/parser.c b/parser.c
+index fe0ff4e2d..58ad02dbc 100644
+--- a/parser.c
++++ b/parser.c
+@@ -7280,6 +7280,14 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
+ 	return;
+     }
+ 
++    /*
++     * Some users try to parse entities on their own and used to set
++     * the renamed "checked" member. Fix the flags to cover this
++     * case.
++     */
++    if (((ent->flags & XML_ENT_PARSED) == 0) && (ent->children != NULL))
++        ent->flags |= XML_ENT_PARSED;
++
+     /*
+      * The first reference to the entity trigger a parsing phase
+      * where the ent->children is filled with the result from
+-- 
+GitLab
+
diff --git a/libxml2.spec b/libxml2.spec
index 4e61e0e..7c05e6c 100644
--- a/libxml2.spec
+++ b/libxml2.spec
@@ -1,6 +1,6 @@
 Name:           libxml2
 Version:        2.12.5
-Release:        3%{?dist}
+Release:        4%{?dist}
 Summary:        Library providing XML and HTML support
 
 # list.c, dict.c and few others use ISC-Veillard
@@ -18,6 +18,8 @@ Patch0:         libxml2-multilib.patch
 # Patch from openSUSE.
 # See:  https://bugzilla.gnome.org/show_bug.cgi?id=789714
 Patch1:         libxml2-2.12.0-python3-unicode-errors.patch
+# https://issues.redhat.com/browse/RHEL-72060
+Patch2:         libxml2-2.12.5-CVE-2024-40896.patch
 
 BuildRequires:  cmake-rpm-macros
 BuildRequires:  gcc
@@ -158,6 +160,9 @@ popd
 %{python3_sitelib}/__pycache__/drv_libxml2.*
 
 %changelog
+* Tue Dec 24 2024 David King <amigadave@amigadave.com> - 2.12.5-4
+- Fix CVE-2024-40896 (RHEL-72060)
+
 * Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 2.12.5-3
 - Bump release for October 2024 mass rebuild:
   Resolves: RHEL-64018