diff --git a/0005-Fix-for-CVE-2017-16516.patch b/0005-Fix-for-CVE-2017-16516.patch
new file mode 100644
index 0000000..7d48816
--- /dev/null
+++ b/0005-Fix-for-CVE-2017-16516.patch
@@ -0,0 +1,43 @@
+From 0b5e73c4321de0ba1d495fdc0967054b2a77931c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Mon, 10 Jul 2023 13:36:10 +0100
+Subject: [PATCH 5/8] Fix for CVE-2017-16516
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Description: Fix for CVE-2017-16516
+ Potential buffer overread: A JSON file can cause denial of service.
+Origin: https://github.com/brianmario/yajl-ruby/commit/a8ca8f476655adaa187eedc60bdc770fff3c51ce
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040036
+Bug: https://github.com/lloyd/yajl/issues/248
+
+Patch taken from Debian package source
+
+NB, Fedora code can't trigger the reported aborts since it passes the
+-DNDEBUG flag, but pulling the fix for robustness in case a future
+change enables the assert()s.
+
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+---
+ src/yajl_encode.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/yajl_encode.c b/src/yajl_encode.c
+index fd08258..0d97cc5 100644
+--- a/src/yajl_encode.c
++++ b/src/yajl_encode.c
+@@ -139,8 +139,8 @@ void yajl_string_decode(yajl_buf buf, const unsigned char * str,
+                     end+=3;
+                     /* check if this is a surrogate */
+                     if ((codepoint & 0xFC00) == 0xD800) {
+-                        end++;
+-                        if (str[end] == '\\' && str[end + 1] == 'u') {
++                        if (end + 2 < len && str[end + 1] == '\\' && str[end + 2] == 'u') {
++                            end++;
+                             unsigned int surrogate = 0;
+                             hexToDigit(&surrogate, str + end + 2);
+                             codepoint =
+-- 
+2.41.0
+
diff --git a/yajl.spec b/yajl.spec
index 05f131f..acb531f 100644
--- a/yajl.spec
+++ b/yajl.spec
@@ -25,6 +25,7 @@ Patch: 0001-pkg-config-file-should-be-in-lib-dir-not-shared-data.patch
 Patch: 0002-pkg-config-include-dir-should-not-have-the-yajl-suff.patch
 Patch: 0003-fix-patch-to-test-files-to-take-account-of-vpath.patch
 Patch: 0004-drop-bogus-_s-suffix-from-yajl-dynamic-library.patch
+Patch: 0005-Fix-for-CVE-2017-16516.patch
 
 BuildRequires: gcc
 BuildRequires: cmake
@@ -95,6 +96,7 @@ cd test
 %changelog
 * Mon Jul 10 2023 Daniel P. Berrangé <berrange@redhat.com> - 2.1.0-21
 - Switch to using git for managing patches
+- Fix potential buffer overread (CVE-2017-16516)
 
 * Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.0-20
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild