diff --git a/gnupg-CVE-2018-9234.patch b/gnupg-CVE-2018-9234.patch
new file mode 100644
index 0000000..c3a550f
--- /dev/null
+++ b/gnupg-CVE-2018-9234.patch
@@ -0,0 +1,23 @@
+From: Karol Babioch <kbabioch@suse.de>
+Date: Thu Apr  5 10:32:21 CEST 2018
+Upstream: merged
+References: https://dev.gnupg.org/rGa17d2d1f690ebe5d005b4589a5fe378b6487c657
+References: https://dev.gnupg.org/T3844
+Subject: Fix for bnc#1088255 (CVE-2018-9234)
+---
+ g10/getkey.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+Index: gnupg-2.2.5/g10/getkey.c
+===================================================================
+--- gnupg-2.2.5.orig/g10/getkey.c
++++ gnupg-2.2.5/g10/getkey.c
+@@ -1810,6 +1810,8 @@ get_pubkey_byfprint (ctrl_t ctrl, PKT_pu
+       ctx.items[0].mode = fprint_len == 16 ? KEYDB_SEARCH_MODE_FPR16
+ 	: KEYDB_SEARCH_MODE_FPR20;
+       memcpy (ctx.items[0].u.fpr, fprint, fprint_len);
++      if (pk)
++        ctx.req_usage = pk->req_usage;
+       rc = lookup (ctrl, &ctx, 0, &kb, &found_key);
+       if (!rc && pk)
+ 	pk_from_block (pk, kb, found_key);
diff --git a/gpg2.changes b/gpg2.changes
index c9cab4b..e9a66c3 100644
--- a/gpg2.changes
+++ b/gpg2.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Thu Apr  5 08:38:58 UTC 2018 - kbabioch@suse.com
+
+- Added gnupg-CVE-2018-9234.patch: Enforce that key certification
+  can only be done with the master key, and not a signing subkey.
+  (bnc#1088255 CVE-2018-9234) 
+
 -------------------------------------------------------------------
 Sun Feb 25 12:14:54 UTC 2018 - astieger@suse.com
 
diff --git a/gpg2.spec b/gpg2.spec
index 3147026..2a62784 100644
--- a/gpg2.spec
+++ b/gpg2.spec
@@ -34,6 +34,7 @@ Patch6:         gnupg-dont-fail-with-seahorse-agent.patch
 Patch8:         gnupg-set_umask_before_open_outfile.patch
 Patch9:         gnupg-detect_FIPS_mode.patch
 Patch11:        gnupg-add_legacy_FIPS_mode_option.patch
+Patch12:        gnupg-CVE-2018-9234.patch
 BuildRequires:  expect
 BuildRequires:  fdupes
 BuildRequires:  libassuan-devel >= 2.5.0
@@ -85,6 +86,7 @@ gpg2 provides GPGSM, gpg-agent, and a keybox library.
 %patch8 -p1
 %patch9 -p1
 %patch11 -p1
+%patch12 -p1
 
 %build
 date=$(date -u +%%Y-%%m-%%dT%%H:%%M+0000 -r %{SOURCE99})