diff --git a/squid-4.15-CVE-2024-23638.patch b/squid-4.15-CVE-2024-23638.patch
new file mode 100644
index 0000000..51fc1f6
--- /dev/null
+++ b/squid-4.15-CVE-2024-23638.patch
@@ -0,0 +1,31 @@
+commit 8fcff9c09824b18628f010d26a04247f6a6cbcb8
+Author: Alex Rousskov <rousskov@measurement-factory.com>
+Date:   Sun Nov 12 09:33:20 2023 +0000
+
+    Do not update StoreEntry expiration after errorAppendEntry() (#1580)
+    
+    errorAppendEntry() is responsible for setting entry expiration times,
+    which it does by calling StoreEntry::storeErrorResponse() that calls
+    StoreEntry::negativeCache().
+    
+    This change was triggered by a vulnerability report by Joshua Rogers at
+    https://megamansec.github.io/Squid-Security-Audit/cache-uaf.html where
+    it was filed as "Use-After-Free in Cache Manager Errors". The reported
+    "use after free" vulnerability was unknowingly addressed by 2022 commit
+    1fa761a that removed excessively long "reentrant" store_client calls
+    responsible for the disappearance of the properly locked StoreEntry in
+    this (and probably other) contexts.
+
+
+diff --git a/src/cache_manager.cc b/src/cache_manager.cc
+index 8055ece..fdcc9cf 100644
+--- a/src/cache_manager.cc
++++ b/src/cache_manager.cc
+@@ -323,7 +323,6 @@ CacheManager::Start(const Comm::ConnectionPointer &client, HttpRequest * request
+         const auto err = new ErrorState(ERR_INVALID_URL, Http::scNotFound, request);
+         err->url = xstrdup(entry->url());
+         errorAppendEntry(entry, err);
+-        entry->expires = squid_curtime;
+         return;
+     }
+ 
diff --git a/squid.spec b/squid.spec
index 83440ea..8d93173 100644
--- a/squid.spec
+++ b/squid.spec
@@ -2,7 +2,7 @@
 
 Name:     squid
 Version:  4.15
-Release:  10%{?dist}.2
+Release:  10%{?dist}.3
 Summary:  The Squid proxy caching server
 Epoch:    7
 # See CREDITS for breakdown of non GPLv2+ code
@@ -72,7 +72,8 @@ Patch312: squid-4.15-CVE-2024-25111.patch
 # Regression caused by squid-4.15-CVE-2023-46846.patch
 # Upstream PR: https://github.com/squid-cache/squid/pull/1914
 Patch313: squid-4.15-ignore-wsp-after-chunk-size.patch
-
+# https://bugzilla.redhat.com/show_bug.cgi?id=2260051
+Patch314: squid-4.15-CVE-2024-23638.patch
 
 Requires: bash >= 2.0
 Requires(pre): shadow-utils
@@ -149,6 +150,7 @@ lookup program (dnsserver), a program for retrieving FTP data
 %patch311 -p1 -b .CVE-2024-25617
 %patch312 -p1 -b .CVE-2024-25111
 %patch313 -p1 -b .ignore-wsp-chunk-sz
+%patch314 -p1 -b .CVE-2024-23638
 
 # https://bugzilla.redhat.com/show_bug.cgi?id=1679526
 # Patch in the vendor documentation and used different location for documentation
@@ -365,6 +367,10 @@ fi
 
 
 %changelog
+* Wed Nov 13 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-10.3
+- Resolves: RHEL-22593 - CVE-2024-23638 squid:4/squid: vulnerable to
+  a Denial of Service attack against Cache Manager error responses
+
 * Thu Nov 07 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-10.2
 - Disable ESI support
 - Resolves: RHEL-65075 - CVE-2024-45802 squid:4/squid: Denial of Service