diff --git a/0054-release-branch.go1.16-net-http-update-bundled-golang.patch b/0054-release-branch.go1.16-net-http-update-bundled-golang.patch
new file mode 100644
index 0000000000000000000000000000000000000000..4436b9edf80479aa869b44d63fd200b789ca0bf7
--- /dev/null
+++ b/0054-release-branch.go1.16-net-http-update-bundled-golang.patch
@@ -0,0 +1,50 @@
+From 97b9a8c1e595e2527654e8e4124e4ebc048548a2 Mon Sep 17 00:00:00 2001
+From: Filippo Valsorda <filippo@golang.org>
+Date: Wed, 19 Jan 2022 11:31:33 +0800
+Subject: [PATCH] [release-branch.go1.16] net/http: update bundled
+ golang.org/x/net/http2
+
+Pull in security fix
+
+	a5309b3 http2: cap the size of the server's canonical header cache
+
+Updates #50058
+Fixes CVE-2021-44716
+
+Change-Id: Ifdd13f97fce168de5fb4b2e74ef2060d059800b9
+Reviewed-on: https://go-review.googlesource.com/c/go/+/370575
+Trust: Filippo Valsorda <filippo@golang.org>
+Run-TryBot: Filippo Valsorda <filippo@golang.org>
+Reviewed-by: Alex Rakoczy <alex@golang.org>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+
+Conflict:NA
+Reference:https://github.com/golang/go/commit/d0aebe3e74fe14799f97ddd3f01129697c6a290a
+---
+ src/net/http/h2_bundle.go | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/src/net/http/h2_bundle.go b/src/net/http/h2_bundle.go
+index 3d83084..06f8808 100644
+--- a/src/net/http/h2_bundle.go
++++ b/src/net/http/h2_bundle.go
+@@ -4289,7 +4289,15 @@ func (sc *http2serverConn) canonicalHeader(v string) string {
+ 		sc.canonHeader = make(map[string]string)
+ 	}
+ 	cv = CanonicalHeaderKey(v)
+-	sc.canonHeader[v] = cv
++	// maxCachedCanonicalHeaders is an arbitrarily-chosen limit on the number of
++	// entries in the canonHeader cache. This should be larger than the number
++	// of unique, uncommon header keys likely to be sent by the peer, while not
++	// so high as to permit unreaasonable memory usage if the peer sends an unbounded
++	// number of unique header keys.
++	const maxCachedCanonicalHeaders = 32
++	if len(sc.canonHeader) < maxCachedCanonicalHeaders {
++		sc.canonHeader[v] = cv
++	}
+ 	return cv
+ }
+ 
+-- 
+2.30.0
+
diff --git a/golang.spec b/golang.spec
index 6ec784df4e80863e4a0c3c999f9d9a1bd5b80bfe..2101c083f6a649b1087712cd8acc494639affd73 100644
--- a/golang.spec
+++ b/golang.spec
@@ -62,7 +62,7 @@
 
 Name:           golang
 Version:        1.15.7
-Release:        5
+Release:        6
 Summary:        The Go Programming Language
 License:        BSD and Public Domain
 URL:            https://golang.org/
@@ -199,6 +199,7 @@ Patch6050:       0050-release-branch.go1.15-crypto-tls-test-key-type-when-.patch
 Patch6051:       0051-net-reject-leading-zeros-in-IP-address-parsers.patch
 Patch6052:       0052-release-branch.go1.16-misc-wasm-cmd-link-do-not-let-.patch
 Patch6053:       0053-net-http-httputil-close-incoming-ReverseProxy-reques.patch
+Patch6054:       0054-release-branch.go1.16-net-http-update-bundled-golang.patch
 
 Patch9001:       0001-drop-hard-code-cert.patch
 
@@ -432,6 +433,9 @@ fi
 %files devel -f go-tests.list -f go-misc.list -f go-src.list
 
 %changelog
+* Wed Jan 19 2022 hanchao<hanchao47@huawei.com> - 1.15.7-6
+- fix CVE-2021-44716 
+
 * Wed Oct 27 2021 chenjiankun <chenjiankun1@huawei.com> - 1.15.7-5
 - fix CVE-2021-33195,CVE-2021-33196,CVE-2021-33197,CVE-2021-33198,CVE-2021-34558,CVE-2021-29923,CVE-2021-38297,CVE-2021-36221