diff --git a/CVE-2024-33427.patch b/CVE-2024-33427.patch
new file mode 100644
index 0000000..b5ee2a2
--- /dev/null
+++ b/CVE-2024-33427.patch
@@ -0,0 +1,13 @@
+Index: squid-6.9/src/ConfigParser.cc
+===================================================================
+--- squid-6.9.orig/src/ConfigParser.cc
++++ squid-6.9/src/ConfigParser.cc
+@@ -181,7 +181,7 @@ ConfigParser::UnQuote(const char *token,
+     *d = '\0';
+ 
+     // We are expecting a separator after quoted string, space or one of "()#"
+-    if (*(s + 1) != '\0' && !strchr(w_space "()#", *(s + 1)) && !errorStr) {
++    if (!errorStr && *(s + 1) != '\0' && !strchr(w_space "()#", *(s + 1))) {
+         errorStr = "Expecting space after the end of quoted token";
+         errorPos = token;
+     }
diff --git a/squid.changes b/squid.changes
index f94dd78..37b8f6f 100644
--- a/squid.changes
+++ b/squid.changes
@@ -12,6 +12,8 @@ Tue May 28 08:39:49 UTC 2024 - Adam Majer <adam.majer@suse.de>
 
 - header_fixups.patch: upstreamed, removed
 - 9be86d8db5e8f40829374d26334d0bb5272c1afd.patch: upstreamed, removed
+- CVE-2024-33427.patch: fixes possible buffer overread leading to
+  denial of service (bsc#1225417, CVE-2024-33427)
 
 -------------------------------------------------------------------
 Wed Mar  6 12:02:14 UTC 2024 - Adam Majer <adam.majer@suse.de>
diff --git a/squid.spec b/squid.spec
index 3b232d8..96a6cdd 100644
--- a/squid.spec
+++ b/squid.spec
@@ -51,6 +51,7 @@ Source17:       tmpfilesdir.squid.conf
 Patch1:         missing_installs.patch
 Patch2:         old_nettle_compat.patch
 Patch3:         harden_squid.service.patch
+Patch4:         CVE-2024-33427.patch
 BuildRequires:  cppunit-devel
 BuildRequires:  expat
 BuildRequires:  fdupes
@@ -107,6 +108,7 @@ accelerator.
 %setup -q
 cp %{SOURCE10} .
 %patch -P 3 -p1
+%patch -P 4 -p1
 
 # upstream patches after RELEASE
 perl -p -i -e 's|%{_prefix}/local/bin/perl|%{_bindir}/perl|' `find -name "*.pl"`