diff --git a/apache-poi.spec b/apache-poi.spec
index 470c07b9d018a692a3f46df472562d609dd4ebe0..df1ac76b9ce30103aaf2ba8d59921cc42f596369 100644
--- a/apache-poi.spec
+++ b/apache-poi.spec
@@ -1,7 +1,7 @@
 %global reldate 20170915
 Name:                apache-poi
 Version:             3.17
-Release:             3
+Release:             4
 Summary:             The Java API for Microsoft Documents
 License:             ASL 2.0 and (CC-BY and CC-BY-SA and W3C) and GPLv3
 URL:                 http://poi.apache.org/
@@ -20,6 +20,7 @@ Source8:             http://uri.etsi.org/01903/v1.4.1/XAdESv141.xsd
 Patch1:              apache-poi-3.14-compile-xsds.patch
 Patch2:              apache-poi-3.14-build.patch
 Patch3:              Adjust-handling-of-SchemaFactory.patch 
+Patch4:              backport-CVE-2022-26336.patch
 BuildArch:           noarch
 BuildRequires:       jacoco javapackages-local jmh jmh-generator-annprocess
 BuildRequires:       apache-commons-collections4 >= 4.1 apache-commons-codec apache-commons-logging
@@ -65,6 +66,7 @@ This package contains the API documentation for %{name}.
 %patch1
 %patch2
 %patch3 -p1
+%patch4 -p1
 find -name '*.class' -delete
 find -name '*.jar' -delete
 mkdir lib ooxml-lib
@@ -134,6 +136,9 @@ done
 %license LICENSE NOTICE
 
 %changelog
+* Mon Dec 25 2023 wangweichao <wangweichao@xfusion.com> - 3.17-4
+- Fix CVE-2022-26336
+
 * Mon Feb 14 2022 wangkai <wangkai385@huawei.com> - 3.17-3
 - Rebuild for fix log4j1.x cves
 
diff --git a/backport-CVE-2022-26336.patch b/backport-CVE-2022-26336.patch
new file mode 100644
index 0000000000000000000000000000000000000000..cf145ce412cac6d5d3ed6d85b8df93515714d8ae
--- /dev/null
+++ b/backport-CVE-2022-26336.patch
@@ -0,0 +1,49 @@
+From 0131634c3102060d75082fe807ac064be17ab5ae Mon Sep 17 00:00:00 2001
+From: https://bz.apache.org/bugzilla/show_bug.cgi?id=65899#attach_38203
+Date: Mon, 25 Dec 2023 18:28:14 +0800
+Subject: [PATCH] backport-CVE-2022-26336
+
+---
+ .../org/apache/poi/hmef/attribute/MAPIAttribute.java | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/src/scratchpad/src/org/apache/poi/hmef/attribute/MAPIAttribute.java b/src/scratchpad/src/org/apache/poi/hmef/attribute/MAPIAttribute.java
+index 90e4ffe..dc6e94b 100644
+--- a/src/scratchpad/src/org/apache/poi/hmef/attribute/MAPIAttribute.java
++++ b/src/scratchpad/src/org/apache/poi/hmef/attribute/MAPIAttribute.java
+@@ -131,7 +131,9 @@ public class MAPIAttribute {
+          MAPIProperty prop = MAPIProperty.get(id);
+          if(id >= 0x8000 && id <= 0xFFFF) {
+             byte[] guid = new byte[16];
+-            IOUtils.readFully(inp, guid);
++            if (IOUtils.readFully(inp, guid) < 0) {
++               throw new IOException("Not enough data to read guid");
++            }
+             int mptype = LittleEndian.readInt(inp);
+             
+             // Get the name of it
+@@ -145,7 +147,9 @@ public class MAPIAttribute {
+                // Custom name was stored
+                int mplen = LittleEndian.readInt(inp);
+                byte[] mpdata = new byte[mplen];
+-               IOUtils.readFully(inp, mpdata);
++               if (IOUtils.readFully(inp, mpdata) < 0) {
++                  throw new IOException("Not enough data to read " + mplen + " bytes for attribute name");
++               }
+                name = StringUtil.getFromUnicodeLE(mpdata, 0, (mplen/2)-1);
+                skipToBoundary(mplen, inp);
+             }
+@@ -165,7 +169,9 @@ public class MAPIAttribute {
+          for(int j=0; j<values; j++) {
+             int len = getLength(type, inp);
+             byte[] data = new byte[len];
+-            IOUtils.readFully(inp, data);
++            if (IOUtils.readFully(inp, data) < 0) {
++               throw new IOException("Not enough data to read " + len + " bytes of attribute value");
++            }
+             skipToBoundary(len, inp);
+             
+             // Create
+-- 
+2.30.0.windows.2
+