diff --git a/SOURCES/opencryptoki-3.17.0-unlock-globmutex-if-user-and-group-check-fail.patch b/SOURCES/opencryptoki-3.17.0-unlock-globmutex-if-user-and-group-check-fail.patch
new file mode 100644
index 0000000..dc8c70c
--- /dev/null
+++ b/SOURCES/opencryptoki-3.17.0-unlock-globmutex-if-user-and-group-check-fail.patch
@@ -0,0 +1,12 @@
+diff -up opencryptoki-3.17.0/usr/lib/api/api_interface.c.me opencryptoki-3.17.0/usr/lib/api/api_interface.c
+--- opencryptoki-3.17.0/usr/lib/api/api_interface.c.me	2022-01-17 12:04:18.937010924 +0100
++++ opencryptoki-3.17.0/usr/lib/api/api_interface.c	2022-01-17 12:04:54.020182038 +0100
+@@ -2869,7 +2869,7 @@ CK_RV C_Initialize(CK_VOID_PTR pVoid)
+ 
+     rc = check_user_and_group();
+     if (rc != CKR_OK)
+-        return rc;
++        goto done;
+ 
+     if (!Anchor) {
+         Anchor = (API_Proc_Struct_t *) malloc(sizeof(API_Proc_Struct_t));
diff --git a/SPECS/opencryptoki.spec b/SPECS/opencryptoki.spec
index 751613e..f05ec06 100644
--- a/SPECS/opencryptoki.spec
+++ b/SPECS/opencryptoki.spec
@@ -1,7 +1,7 @@
 Name: opencryptoki
 Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0
 Version: 3.17.0
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: CPL
 Group: System Environment/Base
 URL: https://github.com/opencryptoki/opencryptoki
@@ -13,6 +13,7 @@ Patch1: opencryptoki-3.11.0-lockdir.patch
 # add missing p11sak_defined_attrs.conf
 Patch2: opencryptoki-1.17.0-p11sak.patch
 # upstream patches
+Patch100: opencryptoki-3.17.0-unlock-globmutex-if-user-and-group-check-fail.patch
 
 Requires(pre): coreutils
 Requires: (selinux-policy >= 3.14.3-70 if selinux-policy-targeted)
@@ -340,6 +341,9 @@ fi
 
 
 %changelog
+* Mon Jan 17 2022 Than Ngo <than@redhat.com> - 3.17.0-3
+- Resolves: #2040677, API: Unlock GlobMutex if user and group check fails
+
 * Tue Nov 09 2021 Than Ngo <than@redhat.com> - 3.17.0-2
 - Related: #1984993, add missing p11sak_defined_attrs.conf