diff --git a/0001-tighten-check-in-check_fd_under_path.patch b/0001-tighten-check-in-check_fd_under_path.patch
new file mode 100644
index 0000000000000000000000000000000000000000..a4685494c7458c2e64df3e724f4e4d89bcb99eb3
--- /dev/null
+++ b/0001-tighten-check-in-check_fd_under_path.patch
@@ -0,0 +1,27 @@
+From f6f92b872352e7ee29d7e91552150712437bf808 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Erik=20Sj=C3=B6lund?= <erik.sjolund@gmail.com>
+Date: Sat, 26 Aug 2023 11:18:00 +0200
+Subject: [PATCH] utils: tighten check in check_fd_under_path()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Co-authored-by: Giuseppe Scrivano <giuseppe@scrivano.org>
+Signed-off-by: Erik Sjölund <erik.sjolund@gmail.com>
+---
+ src/libcrun/utils.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libcrun/utils.c b/src/libcrun/utils.c
+index ce0844481..1b7104a4b 100644
+--- a/src/libcrun/utils.c
++++ b/src/libcrun/utils.c
+@@ -333,7 +333,7 @@ check_fd_under_path (const char *rootfs, size_t rootfslen, int fd, const char *f
+   if (UNLIKELY (ret < 0))
+     return crun_make_error (err, errno, "readlink `%s`", fdname);
+ 
+-  if (((size_t) ret) <= rootfslen || memcmp (link, rootfs, rootfslen) != 0)
++  if (((size_t) ret) <= rootfslen || memcmp (link, rootfs, rootfslen) != 0 || link[rootfslen] != '/')
+     return crun_make_error (err, 0, "target `%s` not under the directory `%s`", fdname, rootfs);
+ 
+   return 0;
diff --git a/crun.spec b/crun.spec
index 44678598b1484e7206f191ecf64b5e4fe26d5b25..ac33ae041b67cc2c590956775c85b49359275872 100644
--- a/crun.spec
+++ b/crun.spec
@@ -1,8 +1,11 @@
 Name:            crun
 Version:         1.8.7
-Release:         2
+Release:         3
 Summary:         A fast and low-memory footprint OCI Container Runtime fully written in C.
 URL:             https://github.com/containers/%{name}
+
+Patch1:          0001-tighten-check-in-check_fd_under_path.patch
+
 Source0:         https://github.com/containers/crun/releases/download/%{version}/%{name}-%{version}.tar.xz
 License:         GPL-2.0-only
 BuildRequires:   autoconf
@@ -54,6 +57,9 @@ rm -rf %{buildroot}%{_prefix}/lib*
 %{_mandir}/man1/*
 
 %changelog
+* Fri Jul 19 2024 zhangxingrong-<zhangxingrong@uniontech.cn> - 1.8.7-3
+- utils: tighten check in check_fd_under_path()
+
 * Sun Apr 28 2024 yinsist <jianhui.oerv@isrc.iscas.ac.cn> - 1.8.7-2
 - Disable criu dependency for RISC-V as criu does not currently support RISC-V