diff --git a/0038-release-branch.go1.16-net-http-update-bundled-golang.patch b/0038-release-branch.go1.16-net-http-update-bundled-golang.patch
new file mode 100644
index 0000000000000000000000000000000000000000..fba2c8528dccd34fb41846c69ab8b3fb3a6614a0
--- /dev/null
+++ b/0038-release-branch.go1.16-net-http-update-bundled-golang.patch
@@ -0,0 +1,50 @@
+From 1f226a80a67985391b1e511dd1102cc6d9b6ee37 Mon Sep 17 00:00:00 2001
+From: Filippo Valsorda <filippo@golang.org>
+Date: Wed, 19 Jan 2022 10:38:24 +0800
+Subject: [PATCH] [release-branch.go1.16] net/http: update bundled
+ golang.org/x/net/http2
+
+Pull in security fix
+
+    a5309b3 http2: cap the size of the server's canonical header cache
+
+Updates #50058
+Fixes CVE-2021-44716
+
+Change-Id: Ifdd13f97fce168de5fb4b2e74ef2060d059800b9
+Reviewed-on: https://go-review.googlesource.com/c/go/+/370575
+Trust: Filippo Valsorda <filippo@golang.org>
+Run-TryBot: Filippo Valsorda <filippo@golang.org>
+Reviewed-by: Alex Rakoczy <alex@golang.org>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+
+Conflict:NA
+Reference:https://github.com/golang/go/commit/d0aebe3e74fe14799f97ddd3f01129697c6a290a
+---
+ src/net/http/h2_bundle.go | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/src/net/http/h2_bundle.go b/src/net/http/h2_bundle.go
+index e9a55f3..18c87be 100644
+--- a/src/net/http/h2_bundle.go
++++ b/src/net/http/h2_bundle.go
+@@ -4285,7 +4285,15 @@ func (sc *http2serverConn) canonicalHeader(v string) string {
+ 		sc.canonHeader = make(map[string]string)
+ 	}
+ 	cv = CanonicalHeaderKey(v)
+-	sc.canonHeader[v] = cv
++	// maxCachedCanonicalHeaders is an arbitrarily-chosen limit on the number of
++	// entries in the canonHeader cache. This should be larger than the number
++	// of unique, uncommon header keys likely to be sent by the peer, while not
++	// so high as to permit unreaasonable memory usage if the peer sends an unbounded
++	// number of unique header keys.
++	const maxCachedCanonicalHeaders = 32
++	if len(sc.canonHeader) < maxCachedCanonicalHeaders {
++		sc.canonHeader[v] = cv
++	}
+ 	return cv
+ }
+ 
+-- 
+2.30.0
+
diff --git a/golang.spec b/golang.spec
index 242bc008646ffa92b7377595066c906eeb4c665b..8f2fbcdbf81dd23845e74447f3f9a6cb19652ee5 100644
--- a/golang.spec
+++ b/golang.spec
@@ -62,7 +62,7 @@
 
 Name:           golang
 Version:        1.13.15
-Release:        7
+Release:        8
 Summary:        The Go Programming Language
 License:        BSD and Public Domain
 URL:            https://golang.org/
@@ -176,6 +176,7 @@ Patch6034:       0034-net-reject-leading-zeros-in-IP-address-parsers.patch
 Patch6035:       0035-release-branch.go1.16-misc-wasm-cmd-link-do-not-let-.patch
 Patch6036:       0036-net-http-httputil-close-incoming-ReverseProxy-reques.patch
 Patch6037:       0037-release-branch.go1.16-debug-macho-fail-on-invalid-dy.patch
+Patch6038:       0038-release-branch.go1.16-net-http-update-bundled-golang.patch
 
 ExclusiveArch:  %{golang_arches}
 
@@ -409,6 +410,9 @@ fi
 %files devel -f go-tests.list -f go-misc.list -f go-src.list
 
 %changelog
+* Wed Jan 19 2022 hanchao<hanchao47@huawei.com> - 1.13.15-8
+- fix CVE-2021-44716
+
 * Thu Nov 16 2021 chenjiankun<chenjiankun1@huawei.com> - 1.13.15-7
 - fix CVE-2021-41771