diff --git a/CVE-2024-6655.patch b/CVE-2024-6655.patch
new file mode 100644
index 0000000000000000000000000000000000000000..131622ac35f546bc73861fae622b3e37cff4e30a
--- /dev/null
+++ b/CVE-2024-6655.patch
@@ -0,0 +1,34 @@
+From: Matthias Clasen <mclasen@redhat.com>
+Date: Sat, 15 Jun 2024 14:18:01 -0400
+Subject: Stop looking for modules in cwd
+
+This is just not a good idea. It is surprising, and can be misused.
+
+Fixes: https://gitlab.gnome.org/GNOME/gtk/-/issues/6786
+(cherry picked from commit 3bbf0b6176d42836d23c36a6ac410e807ec0a7a7)
+
+Origin: gtk 3.24.43
+---
+ gtk/gtkmodules.c | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+diff --git a/gtk/gtkmodules.c b/gtk/gtkmodules.c
+index 50729b6..c0f0c30 100644
+--- a/gtk/gtkmodules.c
++++ b/gtk/gtkmodules.c
+@@ -229,13 +229,8 @@ find_module (const gchar *name)
+   gchar *module_name;
+ 
+   module_name = _gtk_find_module (name, "modules");
+-  if (!module_name)
+-    {
+-      /* As last resort, try loading without an absolute path (using system
+-       * library path)
+-       */
+-      module_name = g_module_build_path (NULL, name);
+-    }
++  if (module_name == NULL)
++    return NULL;
+ 
+   module = g_module_open (module_name, G_MODULE_BIND_LOCAL | G_MODULE_BIND_LAZY);
+ 
diff --git a/gtk2.spec b/gtk2.spec
index 78aedeb753afce161f86c37cfbac9fed49a0ec06..c9013d229c0809834a676138a892c3dcb89e0283 100644
--- a/gtk2.spec
+++ b/gtk2.spec
@@ -6,7 +6,7 @@
 #Basic Information
 Name:            gtk2
 Version:         2.24.32
-Release:         10
+Release:         11
 Summary:         GTK+ graphical user interface library
 License:         LGPLv2+
 URL:             http://www.gtk.org
@@ -22,6 +22,8 @@ Patch2:  icon-padding.patch
 Patch8:  tooltip-positioning.patch
 # https://bugzilla.gnome.org/show_bug.cgi?id=611313
 Patch15: window-dragging.patch
+# https://gitlab.gnome.org/GNOME/gtk/-/issues/6786
+Patch16: CVE-2024-6655.patch
 
 #Dependency
 BuildRequires:   pkgconfig(glib-2.0) >= 2.28.0 pkgconfig(atk) >= 2.28.0
@@ -232,6 +234,9 @@ gtk-query-immodules-2.0-64 --update-cache
 %{_mandir}/man1/gtk-builder-convert.1.gz
 
 %changelog
+* Mon Jul 15 2024 Funda Wang <fundawang@yeah.net> - 2.24.32-11
+- fix CVE-2024-6655: Library injection from CWD
+
 * Thu Jan 18 2024 zhangpan <zhangpan103@h-partners.com> - 2.24.32-10
 - revert last commit