diff --git a/libyang-fix-CVE-2026-44673.patch b/libyang-fix-CVE-2026-44673.patch
new file mode 100644
index 0000000..e91e90c
--- /dev/null
+++ b/libyang-fix-CVE-2026-44673.patch
@@ -0,0 +1,29 @@
+diff --git a/src/parser_lyb.c b/src/parser_lyb.c
+index 788be94..5a26e43 100644
+--- a/src/parser_lyb.c
++++ b/src/parser_lyb.c
+@@ -217,6 +217,11 @@ lyb_read_string(char **str, uint8_t len_size, struct lylyb_ctx *lybctx)
+ 
+     lyb_read_number(&len, sizeof len, len_size, lybctx);
+ 
++    /* len could be potentially at UINT64_MAX meaning that len + 1 would
++     * cause malloc(0) followed by an out-of-bounds write */
++    LY_CHECK_ERR_RET(len == UINT64_MAX,
++        LOGERR(lybctx->ctx, LY_EINVAL, "LYB value size overflow."), LY_EINVAL);
++
+     *str = malloc((len + 1) * sizeof **str);
+     LY_CHECK_ERR_RET(!*str, LOGMEM(lybctx->ctx), LY_EMEM);
+ 
+@@ -281,6 +281,12 @@ lyb_read_term_value(const struct lysc_node_leaf *term, uint8_t **term_value, uin
+         *term_value_len = lyb_data_len;
+     }
+ 
++    /* *term_value_len + 1 can overflow uint32_t allocated_size when
++     * *term_value_len >= UINT32_MAX, causing malloc(0) followed by
++     * an out-of-bounds write (OOM / DoS) */
++    LY_CHECK_ERR_RET(*term_value_len >= UINT32_MAX,
++            LOGERR(lybctx->ctx, LY_EINVAL, "LYB value size overflow."), LY_EINVAL);
++
+     /* Allocate memory. */
+     allocated_size = *term_value_len + 1;
+     *term_value = malloc(allocated_size * sizeof **term_value);
diff --git a/libyang.spec b/libyang.spec
index 100a41b..2e42e4f 100644
--- a/libyang.spec
+++ b/libyang.spec
@@ -12,7 +12,7 @@
 
 Name: libyang
 Version: 2.1.148
-Release: 3%{?dist}
+Release: 4%{?dist}
 Summary: YANG data modeling language library
 Url: https://github.com/CESNET/libyang
 Source: %{url}/archive/v%{version}.tar.gz
@@ -20,6 +20,9 @@ License: BSD-3-Clause
 
 # disable tests failing on s390x
 Patch1: disable-test_structure.patch
+# Original commit: https://github.com/CESNET/libyang/commit/48672b2
+# We have a different version, below is a minimal patch
+Patch2: libyang-fix-CVE-2026-44673.patch
 
 BuildRequires:  cmake
 BuildRequires:  doxygen
@@ -112,6 +115,10 @@ cp -a doc/html %{buildroot}/%{_docdir}/libyang/html
 %{_docdir}/libyang
 
 %changelog
+* Mon May 25 2026 Michal Ruprich <mruprich@redhat.com> - 2.1.148-4
+- DoS or arbitrary code execution via maliciously crafted LYB binary blob
+- Resolves: RHEL-177026 - CVE-2026-44673
+
 * Wed Nov 05 2025 Michal Ruprich <mruprich@redhat.com> - 2.1.148-3
 - Resolves: RHEL-119430 - Move libyang-devel to CRB