diff --git a/0018-fix-CVE-2024-26462.patch b/0018-fix-CVE-2024-26462.patch
new file mode 100644
index 0000000000000000000000000000000000000000..80d839a41d92580acfcbaf86c6650adcb111a28b
--- /dev/null
+++ b/0018-fix-CVE-2024-26462.patch
@@ -0,0 +1,20 @@
+diff --git a/src/kdc/ndr.c b/src/kdc/ndr.c
+index 48395ab..d438408 100644
+--- a/src/kdc/ndr.c
++++ b/src/kdc/ndr.c
+@@ -96,14 +96,13 @@ enc_wchar_pointer(const char *utf8, struct encoded_wchars *encoded_out)
+     size_t utf16len, num_wchars;
+     uint8_t *utf16;
+ 
+-    k5_buf_init_dynamic(&b);
+-
+     ret = k5_utf8_to_utf16le(utf8, &utf16, &utf16len);
+     if (ret)
+         return ret;
+ 
+     num_wchars = utf16len / 2;
+ 
++    k5_buf_init_dynamic(&b);
+     k5_buf_add_uint32_le(&b, num_wchars + 1);
+     k5_buf_add_uint32_le(&b, 0);
+     k5_buf_add_uint32_le(&b, num_wchars);
diff --git a/krb5.spec b/krb5.spec
index 03fefa4f8153e4f3cf0579e570967ca64a86777d..90da143a635e4ec719ff2ea3ef9bb2b95272b598 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -1,4 +1,4 @@
-%define anolis_release 1
+%define anolis_release 2
 
 # Set this so that find-lang.sh will recognize the .po files.
 %global gettext_domain mit-krb5
@@ -50,6 +50,7 @@ Patch14: 0014-downstream-Include-missing-OpenSSL-FIPS-header.patch
 Patch15: 0015-downstream-Do-not-set-root-as-ksu-file-owner.patch
 Patch16: 0016-downstream-Allow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch
 Patch17: 0017-Add-PAC-full-checksums.patch
+Patch18: 0018-fix-CVE-2024-26462.patch
 
 License: MIT
 URL: https://web.mit.edu/kerberos/www/
@@ -685,6 +686,9 @@ exit 0
 %{_datarootdir}/%{name}-tests/
 
 %changelog
+* Fri May 17 2024 Chuanyi Feng <feng.chuanyi@zte.com.cn> - 1.20.2-2
+- Fix CVE-2024-26462
+
 * Thu Aug 10 2023 Funda Wang <fundawang@yeah.net> - 1.20.2-1
 - New version 1.20.2