diff --git a/CVE-2023-49100.patch b/CVE-2023-49100.patch
new file mode 100644
index 0000000000000000000000000000000000000000..82f19b4a2f22a7017b0a4326a209042a59d3dfe0
--- /dev/null
+++ b/CVE-2023-49100.patch
@@ -0,0 +1,16 @@
+diff --git a/services/std_svc/sdei/sdei_main.c b/services/std_svc/sdei/sdei_main.c
+index 44178ed..0fd3c1d 100644
+--- a/services/std_svc/sdei/sdei_main.c
++++ b/services/std_svc/sdei/sdei_main.c
+
+@@ -710,8 +710,8 @@
+ 	sdei_ev_map_t *map;
+ 	bool retry = true, shared_mapping;
+ 
+-	/* SGIs are not allowed to be bound */
+-	if (plat_ic_is_sgi(intr_num) != 0)
++	/* Interrupt must be either PPI or SPI */
++	if (!(plat_ic_is_ppi(intr_num) || plat_ic_is_spi(intr_num)))
+ 		return SDEI_EINVAL;
+ 
+ 	shared_mapping = (plat_ic_is_spi(intr_num) != 0);
diff --git a/arm-trusted-firmware.spec b/arm-trusted-firmware.spec
index 87b20c6a951ff9fd7f906d8ae21d34a1a855a217..1408a2aed7634e0676d85ba5d155d53d82374476 100644
--- a/arm-trusted-firmware.spec
+++ b/arm-trusted-firmware.spec
@@ -1,4 +1,4 @@
-%define anolis_release 3
+%define anolis_release 4
 
 %global debug_package %{nil}
 
@@ -17,6 +17,8 @@ Patch0002:  CVE-2022-47630-1.patch
 Patch0003:  CVE-2022-47630-2.patch
 # https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/commit/?id=f5c51855d36e399e
 Patch0004:  CVE-2022-47630-3.patch
+# https://git.trustedfirmware.org/plugins/gitiles/TF-A/trusted-firmware-a.git/+/a7eff3477dcf3624c74f5217419b1a27b7ebd2aa
+Patch0005:  CVE-2023-49100.patch
 
 ExclusiveArch: aarch64
 BuildRequires: gcc dtc
@@ -107,6 +109,9 @@ done
 %doc readme.rst
 
 %changelog
+* Mon Apr 28 2025 mgb01105731 <mgb01105731@alibaba-inc.com> - 2.8-4
+- Fix CVE-2023-49100
+
 * Wed Dec 04 2024 Zhongkun He <hezhongkun@inspur.com> - 2.8-3
 - Fix CVE-2022-47630