diff --git a/1000-Crash-due-to-misuse-of-window-functions.patch b/1000-Crash-due-to-misuse-of-window-functions.patch
new file mode 100644
index 0000000000000000000000000000000000000000..15a3957246d92e3c286ce8835ac9ab0cb4966128
--- /dev/null
+++ b/1000-Crash-due-to-misuse-of-window-functions.patch
@@ -0,0 +1,115 @@
+From 90d196ae5a4ed2e498c40116e5c0b25fa8a3a826 Mon Sep 17 00:00:00 2001
+From: Liwei Ge <geliwei@openanolis.org>
+Date: Thu, 29 Jun 2023 11:19:32 +0800
+Subject: [PATCH] Crash due to misuse of window functions
+
+backport patch from
+https://www.sqlite.org/src/info/579b66eaa0816561
+
+Signed-off-by: Liwei Ge <geliwei@openanolis.org>
+---
+ src/resolve.c     | 49 ++++++++++++++++++++++++++++++++++-------------
+ test/window1.test | 20 +++++++++++++++++++
+ 2 files changed, 56 insertions(+), 13 deletions(-)
+
+diff --git a/src/resolve.c b/src/resolve.c
+index c47f6bb..9a4acae 100644
+--- a/src/resolve.c
++++ b/src/resolve.c
+@@ -1214,6 +1214,38 @@ int sqlite3ResolveOrderGroupBy(
+   return 0;
+ }
+ 
++#ifndef SQLITE_OMIT_WINDOWFUNC
++/*
++** Walker callback for resolveRemoveWindows().
++*/
++static int resolveRemoveWindowsCb(Walker *pWalker, Expr *pExpr){
++  if( ExprHasProperty(pExpr, EP_WinFunc) ){
++    Window **pp;
++    for(pp=&pWalker->u.pSelect->pWin; *pp; pp=&(*pp)->pNextWin){
++      if( *pp==pExpr->y.pWin ){
++        *pp = (*pp)->pNextWin;
++        break;
++      }    
++    }
++  }
++  return WRC_Continue;
++}
++
++/*
++** Remove any Window objects owned by the expression pExpr from the
++** Select.pWin list of Select object pSelect.
++*/
++static void resolveRemoveWindows(Select *pSelect, Expr *pExpr){
++  Walker sWalker;
++  memset(&sWalker, 0, sizeof(Walker));
++  sWalker.xExprCallback = resolveRemoveWindowsCb;
++  sWalker.u.pSelect = pSelect;
++  sqlite3WalkExpr(&sWalker, pExpr);
++}
++#else
++# define resolveRemoveWindows(x,y)
++#endif
++
+ /*
+ ** pOrderBy is an ORDER BY or GROUP BY clause in SELECT statement pSelect.
+ ** The Name context of the SELECT statement is pNC.  zType is either
+@@ -1280,19 +1312,10 @@ static int resolveOrderGroupBy(
+     }
+     for(j=0; j<pSelect->pEList->nExpr; j++){
+       if( sqlite3ExprCompare(0, pE, pSelect->pEList->a[j].pExpr, -1)==0 ){
+-#ifndef SQLITE_OMIT_WINDOWFUNC
+-        if( ExprHasProperty(pE, EP_WinFunc) ){
+-          /* Since this window function is being changed into a reference
+-          ** to the same window function the result set, remove the instance
+-          ** of this window function from the Select.pWin list. */
+-          Window **pp;
+-          for(pp=&pSelect->pWin; *pp; pp=&(*pp)->pNextWin){
+-            if( *pp==pE->y.pWin ){
+-              *pp = (*pp)->pNextWin;
+-            }    
+-          }
+-        }
+-#endif
++        /* Since this expresion is being changed into a reference
++        ** to an identical expression in the result set, remove all Window
++        ** objects belonging to the expression from the Select.pWin list. */
++        resolveRemoveWindows(pSelect, pE);
+         pItem->u.x.iOrderByCol = j+1;
+       }
+     }
+diff --git a/test/window1.test b/test/window1.test
+index 13ecc32..9eef1cf 100644
+--- a/test/window1.test
++++ b/test/window1.test
+@@ -594,6 +594,26 @@ do_execsql_test 13.5 {
+ } {
+ }
+ 
++#-------------------------------------------------------------------------
++do_execsql_test 17.0 {
++  CREATE TABLE t8(a);
++  INSERT INTO t8 VALUES(1), (2), (3);
++}
++
++do_execsql_test 17.1 {
++  SELECT +sum(0) OVER () ORDER BY +sum(0) OVER ();
++} {0}
++
++do_execsql_test 17.2 {
++  select +sum(a) OVER () FROM t8 ORDER BY +sum(a) OVER () DESC;
++} {6 6 6}
++
++do_execsql_test 17.3 {
++  SELECT 10+sum(a) OVER (ORDER BY a)
++  FROM t8
++  ORDER BY 10+sum(a) OVER (ORDER BY a) DESC;
++} {16 13 11}
++
+ # 2020-05-23
+ # ticket 7a5279a25c57adf1
+ #
+-- 
+2.27.0
+
diff --git a/sqlite.spec b/sqlite.spec
index 7b89a328e1458c676f237dbf29d1bb87222f42ea..fad90c40ed36ed6073c93b0a6c6c88b7d61d264e 100644
--- a/sqlite.spec
+++ b/sqlite.spec
@@ -10,7 +10,7 @@
 Summary: Library that implements an embeddable SQL database engine
 Name: sqlite
 Version: %{rpmver}
-Release: 17%{?dist}
+Release: 18%{?dist}
 License: Public Domain
 Group: Applications/Databases
 URL: http://www.sqlite.org/
@@ -102,6 +102,8 @@ Patch36: sqlite-3.26.0-CVE-2020-35525.patch
 # https://www.sqlite.org/src/info/26db4fc22fe66658
 Patch37: sqlite-3.26.0-CVE-2022-35737.patch
 
+Patch1000: 1000-Crash-due-to-misuse-of-window-functions.patch
+
 BuildRequires: ncurses-devel readline-devel glibc-devel
 BuildRequires: autoconf
 %if %{with tcl}
@@ -234,6 +236,8 @@ This package contains the analysis program for %{name}.
 %patch36 -p1
 %patch37 -p1
 
+%patch1000 -p1
+
 
 # Remove backup-file
 rm -f %{name}-doc-%{docver}/sqlite.css~ || :
@@ -334,6 +338,9 @@ make test
 %endif
 
 %changelog
+* Thu Jun 29 2023 Liwei Ge <liwei.glw@alibaba-inc.com> - 3.26.0-18
+- Fixed CVE-2020-24736
+
 * Tue Nov 15 2022 Zuzana Miklankova <zmiklank@redhat.com> - 3.26.0-17
 - Fixed CVE-2022-35737