diff --git a/CVE-2024-41184-vrrp-Handle-empty-ipset-names.patch b/CVE-2024-41184-vrrp-Handle-empty-ipset-names.patch
new file mode 100644
index 0000000000000000000000000000000000000000..66eb2f7532beb0b6e1a04ccc3f9e99081ef750d9
--- /dev/null
+++ b/CVE-2024-41184-vrrp-Handle-empty-ipset-names.patch
@@ -0,0 +1,98 @@
+From e78513fe0ce5d83c226ea2c0bd222f375c2438e7 Mon Sep 17 00:00:00 2001
+From: Quentin Armitage <quentin@armitage.org.uk>
+Date: Fri, 12 Jul 2024 15:16:47 +0100
+Subject: [PATCH] vrrp: Handle empty ipset names with vrrp_ipsets keyword
+
+We now handle empty ipset names and return a config error.
+
+Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
+---
+ keepalived/core/global_parser.c | 36 +++++++++++++++++++--------------
+ 1 file changed, 21 insertions(+), 15 deletions(-)
+
+diff --git a/keepalived/core/global_parser.c b/keepalived/core/global_parser.c
+index a3f2329..504b9a1 100644
+--- a/keepalived/core/global_parser.c
++++ b/keepalived/core/global_parser.c
+@@ -1086,6 +1086,22 @@ vrrp_iptables_handler(const vector_t *strvec)
+ 	}
+ }
+ #ifdef _HAVE_LIBIPSET_
++static bool
++check_valid_ipset_name(const vector_t *strvec, unsigned entry, const char *log_name)
++{
++	if (strlen(strvec_slot(strvec, entry)) >= IPSET_MAXNAMELEN - 1) {
++		report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : ipset %s name too long - ignored", log_name);
++		return false;
++	}
++
++	if (strlen(strvec_slot(strvec, entry)) == 0) {
++		report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : ipset %s name empty - ignored", log_name);
++		return false;
++	}
++
++	return true;
++}
++
+ static void
+ vrrp_ipsets_handler(const vector_t *strvec)
+ {
+@@ -1103,17 +1119,13 @@ vrrp_ipsets_handler(const vector_t *strvec)
+ 		return;
+ 	}
+ 
+-	if (strlen(strvec_slot(strvec,1)) >= IPSET_MAXNAMELEN - 1) {
+-		report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : ipset address name too long - ignored");
++	if (!check_valid_ipset_name(strvec, 1, "address"))
+ 		return;
+-	}
+ 	global_data->vrrp_ipset_address = STRDUP(strvec_slot(strvec,1));
+ 
+ 	if (vector_size(strvec) >= 3) {
+-		if (strlen(strvec_slot(strvec,2)) >= IPSET_MAXNAMELEN - 1) {
+-			report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : ipset IPv6 address name too long - ignored");
++		if (!check_valid_ipset_name(strvec, 2, "IPv6 address"))
+ 			return;
+-		}
+ 		global_data->vrrp_ipset_address6 = STRDUP(strvec_slot(strvec,2));
+ 	}
+ 	else {
+@@ -1124,10 +1136,8 @@ vrrp_ipsets_handler(const vector_t *strvec)
+ 		global_data->vrrp_ipset_address6 = STRDUP(set_name);
+ 	}
+ 	if (vector_size(strvec) >= 4) {
+-		if (strlen(strvec_slot(strvec,3)) >= IPSET_MAXNAMELEN - 1) {
+-			report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : ipset IPv6 address_iface name too long - ignored");
++		if (!check_valid_ipset_name(strvec, 3, "IPv6 address_iface"))
+ 			return;
+-		}
+ 		global_data->vrrp_ipset_address_iface6 = STRDUP(strvec_slot(strvec,3));
+ 	}
+ 	else {
+@@ -1142,10 +1152,8 @@ vrrp_ipsets_handler(const vector_t *strvec)
+ 	}
+ 
+ 	if (vector_size(strvec) >= 5) {
+-		if (strlen(strvec_slot(strvec,4)) >= IPSET_MAXNAMELEN - 1) {
+-			report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : ipset IGMP name too long - ignored");
++		if (!check_valid_ipset_name(strvec, 4, "IGMP"))
+ 			return;
+-		}
+ 		global_data->vrrp_ipset_igmp = STRDUP(strvec_slot(strvec,4));
+ 	}
+ 	else {
+@@ -1156,10 +1164,8 @@ vrrp_ipsets_handler(const vector_t *strvec)
+ 		global_data->vrrp_ipset_igmp = STRDUP(set_name);
+ 	}
+ 	if (vector_size(strvec) >= 6) {
+-		if (strlen(strvec_slot(strvec,5)) >= IPSET_MAXNAMELEN - 1) {
+-			report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : ipset MLD name too long - ignored");
++		if (!check_valid_ipset_name(strvec, 5, "MLD"))
+ 			return;
+-		}
+ 		global_data->vrrp_ipset_mld = STRDUP(strvec_slot(strvec,5));
+ 	}
+ 	else {
+-- 
+2.41.0
+
diff --git a/keepalived.spec b/keepalived.spec
index 7a13955273902c89e5c03221c52c0ec7eac1d129..ebe173ea20e5b95314f8cd6c66d14406ddc8cf09 100644
--- a/keepalived.spec
+++ b/keepalived.spec
@@ -9,7 +9,7 @@
 
 Name:		keepalived
 Version:	2.2.8
-Release:	1
+Release:	2
 Summary:	High Availability monitor built upon LVS, VRRP and service pollers
 License:	GPLv2+
 URL:		http://www.keepalived.org/
@@ -19,6 +19,8 @@ Source2:        keepalived-stop-post.sh
 Source3:        keepalived-start-post.sh
 Source4:        keepalived-pid-check.sh
 
+Patch01:        CVE-2024-41184-vrrp-Handle-empty-ipset-names.patch
+
 Requires(post): systemd
 Requires(preun): systemd
 Requires(postun): systemd
@@ -102,6 +104,9 @@ install -Dd -m 0755 %{buildroot}%{_libexecdir}/keepalived
 %{_mandir}/man*
 
 %changelog
+* Mon Jul 22 2024 yinyongkang <yinyongkang@kylinos.cn> - 2.2.8-2
+- Fix CVE-2024-41184
+
 * Sun Feb 18 2024 sunsuwan <sunsuwan3@huawei.com> -  2.2.8-1
 - Type:bugfix
 - ID:NA