diff --git a/0003-luks-Avoid-crash-when-image-does-not-contain-a-LUKS-.patch b/0003-luks-Avoid-crash-when-image-does-not-contain-a-LUKS-.patch
new file mode 100644
index 0000000..9838b2d
--- /dev/null
+++ b/0003-luks-Avoid-crash-when-image-does-not-contain-a-LUKS-.patch
@@ -0,0 +1,44 @@
+From dc86950fff020688a17b6ff0dbfea7bdb0d8f1b9 Mon Sep 17 00:00:00 2001
+From: "Richard W.M. Jones" <rjones@redhat.com>
+Date: Tue, 10 Jan 2023 08:39:11 +0000
+Subject: [PATCH] luks: Avoid crash when image does not contain a LUKS header
+
+We attempt to load the LUKS header in the prepare() callback.  If this
+fails, h->h will be NULL and we'll crash in close() when we attempt to
+access and free h->h->masterkey.
+
+This crash could have been triggered another way: if open() followed
+by close() was called, without prepare() or other callbacks.
+
+Reported-by: Ming Xie
+Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2159581
+(cherry picked from commit cad4b96b17ed4ad7882100efa0d9073ac9d8b11c)
+---
+ filters/luks/luks-encryption.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/filters/luks/luks-encryption.c b/filters/luks/luks-encryption.c
+index 26f81e7b..6f33e76e 100644
+--- a/filters/luks/luks-encryption.c
++++ b/filters/luks/luks-encryption.c
+@@ -856,11 +856,13 @@ load_header (nbdkit_next *next, const char *passphrase)
+ void
+ free_luks_data (struct luks_data *h)
+ {
+-  if (h->masterkey) {
+-    memset (h->masterkey, 0, h->phdr.master_key_len);
+-    free (h->masterkey);
++  if (h) {
++    if (h->masterkey) {
++      memset (h->masterkey, 0, h->phdr.master_key_len);
++      free (h->masterkey);
++    }
++    free (h);
+   }
+-  free (h);
+ }
+ 
+ uint64_t
+-- 
+2.31.1
+
diff --git a/nbdkit.spec b/nbdkit.spec
index c251b69..984376f 100644
--- a/nbdkit.spec
+++ b/nbdkit.spec
@@ -53,7 +53,7 @@ ExclusiveArch:  x86_64
 
 Name:           nbdkit
 Version:        1.32.5
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        NBD server
 
 License:        BSD
@@ -80,6 +80,7 @@ Source3:        copy-patches.sh
 # Patches.
 Patch0001:     0001-ssh-Remove-left-over-comment.patch
 Patch0002:     0002-ssh-Improve-the-error-message-when-all-authenticatio.patch
+Patch0003:     0003-luks-Avoid-crash-when-image-does-not-contain-a-LUKS-.patch
 
 # For automatic RPM Provides generation.
 # See: https://rpm-software-management.github.io/rpm/manual/dependency_generators.html
@@ -1198,12 +1199,14 @@ export LIBGUESTFS_TRACE=1
 
 
 %changelog
-* Fri Jan 06 2022 Richard W.M. Jones <rjones@redhat.com> - 1.32.5-2
+* Tue Jan 10 2023 Richard W.M. Jones <rjones@redhat.com> - 1.32.5-3
 - Rebase to new stable branch version 1.32.5
   resolves: rhbz#2135765
 - Move stats filter to new subpackage.
 - Improve error message when PasswordAuthentication is set to 'no'
   resolves: rhbz#2158300
+- luks: Avoid crash when image does not contain a LUKS header
+  resolves: rhbz#2159581
 
 * Tue Nov 29 2022 Richard W.M. Jones <rjones@redhat.com> - 1.30.8-2
 - Add support for VDDK 8.0.0