diff --git a/apache-poi.spec b/apache-poi.spec
index 470c07b9d018a692a3f46df472562d609dd4ebe0..1302b8781753925496aeee806eed30aacdf73603 100644
--- a/apache-poi.spec
+++ b/apache-poi.spec
@@ -1,7 +1,7 @@
 %global reldate 20170915
 Name:                apache-poi
 Version:             3.17
-Release:             3
+Release:             4
 Summary:             The Java API for Microsoft Documents
 License:             ASL 2.0 and (CC-BY and CC-BY-SA and W3C) and GPLv3
 URL:                 http://poi.apache.org/
@@ -20,6 +20,7 @@ Source8:             http://uri.etsi.org/01903/v1.4.1/XAdESv141.xsd
 Patch1:              apache-poi-3.14-compile-xsds.patch
 Patch2:              apache-poi-3.14-build.patch
 Patch3:              Adjust-handling-of-SchemaFactory.patch 
+Patch4:              backport-CVE-2022-26336.patch
 BuildArch:           noarch
 BuildRequires:       jacoco javapackages-local jmh jmh-generator-annprocess
 BuildRequires:       apache-commons-collections4 >= 4.1 apache-commons-codec apache-commons-logging
@@ -65,6 +66,7 @@ This package contains the API documentation for %{name}.
 %patch1
 %patch2
 %patch3 -p1
+%patch4 -p1
 find -name '*.class' -delete
 find -name '*.jar' -delete
 mkdir lib ooxml-lib
@@ -134,6 +136,9 @@ done
 %license LICENSE NOTICE
 
 %changelog
+* Fri Dec 22 2023 shaominghao <shaominghao@xfusion.com> - 3.17-4
+- Fix CVE-2022-26336
+
 * Mon Feb 14 2022 wangkai <wangkai385@huawei.com> - 3.17-3
 - Rebuild for fix log4j1.x cves
 
diff --git a/backport-CVE-2022-26336.patch b/backport-CVE-2022-26336.patch
new file mode 100644
index 0000000000000000000000000000000000000000..3e2c1285e8dcdc20f24a2309204a7ae63b2e7c2c
--- /dev/null
+++ b/backport-CVE-2022-26336.patch
@@ -0,0 +1,54 @@
+From 38f9ae16e72920d97244f3d1fd0036d8271c56c2 Mon Sep 17 00:00:00 2001
+From: shaominghao <shaominghao@xfusion.com>
+Date: Fri, 22 Dec 2023 14:24:29 +0800
+Subject: [PATCH] Fix CVE-2022-26336
+
+---
+ .../apache/poi/hmef/attribute/MAPIAttribute.java    | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/src/scratchpad/src/org/apache/poi/hmef/attribute/MAPIAttribute.java b/src/scratchpad/src/org/apache/poi/hmef/attribute/MAPIAttribute.java
+index 90e4ffed..8eb7c83a 100644
+--- a/src/scratchpad/src/org/apache/poi/hmef/attribute/MAPIAttribute.java
++++ b/src/scratchpad/src/org/apache/poi/hmef/attribute/MAPIAttribute.java
+@@ -131,7 +131,9 @@ public class MAPIAttribute {
+          MAPIProperty prop = MAPIProperty.get(id);
+          if(id >= 0x8000 && id <= 0xFFFF) {
+             byte[] guid = new byte[16];
+-            IOUtils.readFully(inp, guid);
++            if (IOUtils.readFully(inp, guid) < 0) {
++               throw new IOException("Not enough data to read guid");
++            }
+             int mptype = LittleEndian.readInt(inp);
+             
+             // Get the name of it
+@@ -145,7 +147,9 @@ public class MAPIAttribute {
+                // Custom name was stored
+                int mplen = LittleEndian.readInt(inp);
+                byte[] mpdata = new byte[mplen];
+-               IOUtils.readFully(inp, mpdata);
++               if (IOUtils.readFully(inp, mpdata) < 0) {
++                  throw new IOException("Not enough data to read " + mplen + " bytes for attribute name");
++               }
+                name = StringUtil.getFromUnicodeLE(mpdata, 0, (mplen/2)-1);
+                skipToBoundary(mplen, inp);
+             }
+@@ -165,7 +169,9 @@ public class MAPIAttribute {
+          for(int j=0; j<values; j++) {
+             int len = getLength(type, inp);
+             byte[] data = new byte[len];
+-            IOUtils.readFully(inp, data);
++            if (IOUtils.readFully(inp, data) < 0) {
++               throw new IOException("Not enough data to read " + len + " bytes of attribute value");
++            }
+             skipToBoundary(len, inp);
+             
+             // Create
+@@ -209,3 +215,4 @@ public class MAPIAttribute {
+       }
+    }
+ }
++
+-- 
+2.27.0
+