diff --git a/1058-fix-CVE-2024-3446.patch b/1058-fix-CVE-2024-3446.patch
new file mode 100644
index 0000000000000000000000000000000000000000..b658a49100a30f26d077ee98ad06fb7460962c7e
--- /dev/null
+++ b/1058-fix-CVE-2024-3446.patch
@@ -0,0 +1,85 @@
+From 229f2d1b3cf8f3334670f6a797b92bcdc062b589 Mon Sep 17 00:00:00 2001
+From: Chunmei Xu <xuchunmei@linux.alibaba.com>
+Date: Tue, 20 Aug 2024 18:22:10 +0800
+Subject: [PATCH 1/1] fix CVE-2024-3446
+
+---
+ hw/char/virtio-serial-bus.c |  3 +--
+ hw/virtio/virtio-crypto.c   |  4 ++--
+ hw/virtio/virtio.c          | 10 ++++++++++
+ include/hw/virtio/virtio.h  |  7 +++++++
+ 4 files changed, 20 insertions(+), 4 deletions(-)
+
+diff --git a/hw/char/virtio-serial-bus.c b/hw/char/virtio-serial-bus.c
+index dd619f073..1221fb7f1 100644
+--- a/hw/char/virtio-serial-bus.c
++++ b/hw/char/virtio-serial-bus.c
+@@ -985,8 +985,7 @@ static void virtser_port_device_realize(DeviceState *dev, Error **errp)
+         return;
+     }
+ 
+-    port->bh = qemu_bh_new_guarded(flush_queued_data_bh, port,
+-                                   &dev->mem_reentrancy_guard);
++    port->bh = virtio_bh_new_guarded(dev, flush_queued_data_bh, port);
+     port->elem = NULL;
+ }
+ 
+diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c
+index 0e2cc8d5a..634be6169 100644
+--- a/hw/virtio/virtio-crypto.c
++++ b/hw/virtio/virtio-crypto.c
+@@ -1080,8 +1080,8 @@ static void virtio_crypto_device_realize(DeviceState *dev, Error **errp)
+         vcrypto->vqs[i].dataq =
+                  virtio_add_queue(vdev, 1024, virtio_crypto_handle_dataq_bh);
+         vcrypto->vqs[i].dataq_bh =
+-                 qemu_bh_new_guarded(virtio_crypto_dataq_bh, &vcrypto->vqs[i],
+-                                     &dev->mem_reentrancy_guard);
++                 virtio_bh_new_guarded(dev, virtio_crypto_dataq_bh,
++                                     &vcrypto->vqs[i]);
+         vcrypto->vqs[i].vcrypto = vcrypto;
+     }
+ 
+diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
+index 3a160f86e..8590b8971 100644
+--- a/hw/virtio/virtio.c
++++ b/hw/virtio/virtio.c
+@@ -4095,3 +4095,13 @@ static void virtio_register_types(void)
+ }
+ 
+ type_init(virtio_register_types)
++
++QEMUBH *virtio_bh_new_guarded_full(DeviceState *dev,
++                                   QEMUBHFunc *cb, void *opaque,
++                                   const char *name)
++{
++    DeviceState *transport = qdev_get_parent_bus(dev)->parent;
++
++    return qemu_bh_new_full(cb, opaque, name,
++                            &transport->mem_reentrancy_guard);
++}
+diff --git a/include/hw/virtio/virtio.h b/include/hw/virtio/virtio.h
+index c8f72850b..7d5ffdc14 100644
+--- a/include/hw/virtio/virtio.h
++++ b/include/hw/virtio/virtio.h
+@@ -22,6 +22,7 @@
+ #include "standard-headers/linux/virtio_config.h"
+ #include "standard-headers/linux/virtio_ring.h"
+ #include "qom/object.h"
++#include "block/aio.h"
+ 
+ /*
+  * A guest should never accept this. It implies negotiation is broken
+@@ -508,4 +509,10 @@ static inline bool virtio_device_disabled(VirtIODevice *vdev)
+ bool virtio_legacy_allowed(VirtIODevice *vdev);
+ bool virtio_legacy_check_disabled(VirtIODevice *vdev);
+ 
++QEMUBH *virtio_bh_new_guarded_full(DeviceState *dev,
++                                   QEMUBHFunc *cb, void *opaque,
++                                   const char *name);
++#define virtio_bh_new_guarded(dev, cb, opaque) \
++    virtio_bh_new_guarded_full((dev), (cb), (opaque), (stringify(cb)))
++
+ #endif
+-- 
+2.41.0
+
diff --git a/qemu.spec b/qemu.spec
index 207d9d4f434baa18006d57c0572abbc3a5fe4db3..69a317305277abba51d0e6cb4c2bcf3326069a72 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -1,4 +1,4 @@
-%define anolis_release 17
+%define anolis_release 18
 
 %bcond_with check
 
@@ -367,6 +367,7 @@ Patch0039:fix-cve-2024-4467.patch
 Patch1055: 0001-CVE-2023-6683.patch
 Patch1056: 0002-CVE-2023-6693.patch
 Patch1057: 0003-CVE-2024-26327.patch
+Patch1058: 1058-fix-CVE-2024-3446.patch
 
 ExclusiveArch: x86_64 aarch64 loongarch64
 
@@ -1930,6 +1931,9 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
 %endif
 
 %changelog
+* Tue Aug 20 2024 mgb01105731 <mgb01105731@alibaba-inc.com> -2.8.2.0-18
+- fix CVE-2024-3446
+
 * Wed Aug 14 2024 pangqing <pangqing@uniontech.com> -2.8.2.0-17
 - CVE-2024-26327 and CVE-2023-6693 and CVE-2023-6683