diff --git a/backport-fix-potential-memory-leak-in-merge_patch.patch b/backport-fix-potential-memory-leak-in-merge_patch.patch
new file mode 100644
index 0000000000000000000000000000000000000000..9bde2bd5b3ec4b1557e8a0ee22b9b8e77445fc16
--- /dev/null
+++ b/backport-fix-potential-memory-leak-in-merge_patch.patch
@@ -0,0 +1,12 @@
+diff --git a/cJSON_Utils.c b/cJSON_Utils.c
+index c7c6439..63651df 100644
+--- a/cJSON_Utils.c
++++ b/cJSON_Utils.c
+@@ -1367,6 +1367,7 @@ static cJSON *merge_patch(cJSON *target, const cJSON * const patch, const cJSON_
+             replacement = merge_patch(replace_me, patch_child, case_sensitive);
+             if (replacement == NULL)
+             {
++                cJSON_Delete(target);
+                 return NULL;
+             }
+ 
diff --git a/cjson.spec b/cjson.spec
index 0d57a5094210ec94135869a93a5540534be9d553..ad07f22eea9287cf3b52f3b8551ab7ce744d51d9 100644
--- a/cjson.spec
+++ b/cjson.spec
@@ -1,6 +1,6 @@
 Name:           cjson
 Version:        1.7.15
-Release:        2
+Release:        3
 Summary:        Ultralightweight JSON parser in ANSI C
  
 License:        MIT and ASL 2.0
@@ -8,6 +8,7 @@ URL:            https://github.com/DaveGamble/cJSON
 Source0:        https://github.com/DaveGamble/cJSON/archive/refs/tags/v1.7.15.tar.gz
  
 Patch0001:	backport-CVE-2023-50471_50472.patch
+Patch0002:	backport-fix-potential-memory-leak-in-merge_patch.patch
 
 BuildRequires:  gcc
 BuildRequires:  cmake
@@ -52,6 +53,9 @@ rm -f %{buildroot}%{_libdir}/cmake/cJSON/*.cmake
 %{_includedir}/cjson/
 
 %changelog
+* Tue Mar 05 2024 xiejing <xiejing@kylinos.cn> - 1.7.15-3
+- fix potential memory leak in merge_patch()
+
 * Sun Dec 24 2023 liningjie <liningjie@xfusion.com> - 1.7.15-2
 - Fix CVE-2023-50471 CVE-2023-50472