diff --git a/CVE-2017-18201.patch b/CVE-2017-18201.patch
new file mode 100644
index 0000000..265dd5b
--- /dev/null
+++ b/CVE-2017-18201.patch
@@ -0,0 +1,24 @@
+From f6f9c48fb40b8a1e8218799724b0b61a7161eb1d Mon Sep 17 00:00:00 2001
+From: "R. Bernstein" <rocky@gnu.org>
+Date: Fri, 22 Dec 2017 16:06:57 -0500
+Subject: [PATCH] Fix double free courtesy of Chris Clayton
+
+---
+ lib/driver/_cdio_generic.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/lib/driver/_cdio_generic.c b/lib/driver/_cdio_generic.c
+index d40ac0d9..ae820d25 100644
+--- a/lib/driver/_cdio_generic.c
++++ b/lib/driver/_cdio_generic.c
+@@ -296,7 +296,6 @@ get_cdtext_generic (void *p_user_data)
+ 
+       if(len <= 0 || 0 != cdtext_data_init (p_env->cdtext, &p_cdtext_data[4], len)) {
+         p_env->b_cdtext_error = true;
+-        cdtext_destroy (p_env->cdtext);
+         free(p_env->cdtext);
+         p_env->cdtext = NULL;
+       }
+-- 
+2.16.2
+
diff --git a/cdio-utils.spec b/cdio-utils.spec
index 7c0312c..3abe671 100644
--- a/cdio-utils.spec
+++ b/cdio-utils.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package cdio-utils
 #
-# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
diff --git a/libcdio.changes b/libcdio.changes
index 3fe0207..45f940d 100644
--- a/libcdio.changes
+++ b/libcdio.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue Feb 27 17:09:35 CET 2018 - sbrabec@suse.com
+
+- Fix double free vulnerability (bsc#1082877, CVE-2017-18201,
+  CVE-2017-18201.patch).
+
 -------------------------------------------------------------------
 Sat Nov  4 20:38:28 UTC 2017 - schwab@linux-m68k.org
 
diff --git a/libcdio.spec b/libcdio.spec
index 250c4c6..7f9e1f7 100644
--- a/libcdio.spec
+++ b/libcdio.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package libcdio
 #
-# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -31,6 +31,8 @@ Source2:        %{name}.keyring
 Source3:        baselibs.conf
 # PATCH-FIX-UPSTREAM 0001-Savannah-Bug-49907.patch https://savannah.gnu.org/bugs/index.php?49907
 Patch0:         0001-Savannah-Bug-49907.patch
+# PATCH-FIX-SECURITY CVE-2017-18201.patch bsc1082877 CVE-2017-18201 sbrabec@suse.com -- Fix double free vulnerability.
+Patch1:         CVE-2017-18201.patch
 BuildRequires:  fdupes
 BuildRequires:  gcc-c++
 BuildRequires:  help2man
@@ -110,6 +112,7 @@ applications that want to make use of the cdio libraries.
 %prep
 %setup -q
 %patch0 -p1
+%patch1 -p1
 
 %define buildir ${PWD}