diff --git a/SOURCES/RHEL-157190-fix-bundled-pyasn1-CVE-2026-30922.patch b/SOURCES/RHEL-157190-fix-bundled-pyasn1-CVE-2026-30922.patch
new file mode 100644
index 0000000..b80a091
--- /dev/null
+++ b/SOURCES/RHEL-157190-fix-bundled-pyasn1-CVE-2026-30922.patch
@@ -0,0 +1,40 @@
+From 25ad481c19fdb006e20485ef3fc2e5b3eff30ef0 Mon Sep 17 00:00:00 2001
+From: Simon Pichugin <simon.pichugin@gmail.com>
+Date: Mon, 16 Mar 2026 17:23:11 -0700
+Subject: [PATCH] Merge commit from fork
+
+---
+ pyasn1/codec/ber/decoder.py     |  10 +++
+ tests/codec/ber/test_decoder.py | 116 ++++++++++++++++++++++++++++++++
+ tests/codec/cer/test_decoder.py |  24 +++++++
+ tests/codec/der/test_decoder.py |  42 ++++++++++++
+ 4 files changed, 192 insertions(+)
+
+diff --git a/gcp/google-cloud-sdk/lib/third_party/pyasn1/codec/ber/decoder.py b/gcp/google-cloud-sdk/lib/third_party/pyasn1/codec/ber/decoder.py
+index 50b14e98..2ea0be13 100644
+--- a/gcp/google-cloud-sdk/lib/third_party/pyasn1/codec/ber/decoder.py
++++ b/gcp/google-cloud-sdk/lib/third_party/pyasn1/codec/ber/decoder.py
+@@ -36,6 +36,7 @@
+ # Maximum number of continuation octets (high-bit set) allowed per OID arc.
+ # 20 octets allows up to 140-bit integers, supporting UUID-based OIDs
+ MAX_OID_ARC_CONTINUATION_OCTETS = 20
++MAX_NESTING_DEPTH = 100
+ 
+ # Maximum number of bytes in a BER length field (8 bytes = up to 2^64-1)
+ MAX_LENGTH_OCTETS = 8
+@@ -1568,6 +1569,15 @@ def __call__(self, substrate, asn1Spec=None,
+                  decodeFun=None, substrateFun=None,
+                  **options):
+ 
++        _nestingLevel = options.get('_nestingLevel', 0)
++
++        if _nestingLevel > MAX_NESTING_DEPTH:
++            raise error.PyAsn1Error(
++                'ASN.1 structure nesting depth exceeds limit (%d)' % MAX_NESTING_DEPTH
++            )
++
++        options['_nestingLevel'] = _nestingLevel + 1
++
+         allowEoo = options.pop('allowEoo', False)
+ 
+         if LOG:
diff --git a/SPECS/resource-agents.spec b/SPECS/resource-agents.spec
index 564e784..2b05df7 100644
--- a/SPECS/resource-agents.spec
+++ b/SPECS/resource-agents.spec
@@ -73,7 +73,7 @@
 Name:		resource-agents
 Summary:	Open Source HA Reusable Cluster Resource Scripts
 Version:	4.9.0
-Release:	54%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}.32
+Release:	54%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}.33
 License:	GPLv2+ and LGPLv2+
 URL:		https://github.com/ClusterLabs/resource-agents
 %if 0%{?fedora} || 0%{?centos_version} || 0%{?rhel}
@@ -204,6 +204,7 @@ Patch1013:	RHEL-136031-fix-bundled-urllib3-CVE-2025-66418.patch
 Patch1014:	RHEL-139760-fix-bundled-urllib3-CVE-2025-66471.patch
 Patch1015:	RHEL-140787-RHEL-146289-fix-bundled-urllib3-CVE-2026-21441.patch
 Patch1016:	RHEL-142448-fix-bundled-pyasn1-CVE-2026-23490.patch
+Patch1017:	RHEL-157190-fix-bundled-pyasn1-CVE-2026-30922.patch
 
 Obsoletes:	heartbeat-resources <= %{version}
 Provides:	heartbeat-resources = %{version}
@@ -767,6 +768,7 @@ pushd %{buildroot}/usr/lib/%{name}/%{bundled_lib_dir}
 /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1014}
 /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1015}
 /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1016}
+/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=2 < %{PATCH1017}
 popd
 %endif
 
@@ -1061,6 +1063,10 @@ ccs_update_schema > /dev/null 2>&1 ||:
 %{_usr}/lib/ocf/lib/heartbeat/OCF_*.pm
 
 %changelog
+* Tue Apr 28 2026 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.33
+- bundled pyasn1: fix CVE-2026-30922
+  Resolves: RHEL-157190
+
 * Fri Apr 10 2026 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.32
 - db2: do not use db2stop to avoid divergence in the log