diff --git a/backport-CVE-2023-0286.patch b/backport-CVE-2023-0286.patch
new file mode 100644
index 0000000000000000000000000000000000000000..09c39465f1350ffe620afe6b3f729fc37a3d9087
--- /dev/null
+++ b/backport-CVE-2023-0286.patch
@@ -0,0 +1,38 @@
+From 2c6c9d439b484e1ba9830d8454a34fa4f80fdfe9 Mon Sep 17 00:00:00 2001
+From: Hugo Landau <hlandau@openssl.org>
+Date: Tue, 17 Jan 2023 17:45:42 +0000
+Subject: [PATCH] CVE-2023-0286: Fix GENERAL_NAME_cmp for x400Address (1.1.1)
+
+Reviewed-by: Paul Dale <pauli@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+---
+ crypto/x509v3/v3_genn.c  |  2 +-
+ include/openssl/x509v3.h |  2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+ 
+diff --git a/crypto/x509v3/v3_genn.c b/crypto/x509v3/v3_genn.c
+index 87a5eff47cd9..e54ddc55c957 100644
+--- a/Cryptlib/OpenSSL/crypto/x509v3/v3_genn.c
++++ b/Cryptlib/OpenSSL/crypto/x509v3/v3_genn.c
+@@ -98,7 +98,7 @@ int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)
+         return -1;
+     switch (a->type) {
+     case GEN_X400:
+-        result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address);
++        result = ASN1_STRING_cmp(a->d.x400Address, b->d.x400Address);
+         break;
+ 
+     case GEN_EDIPARTY:
+diff --git a/include/openssl/x509v3.h b/include/openssl/x509v3.h
+index 90fa3592ce58..e61c0f29d4b4 100644
+--- a/Cryptlib/Include/openssl/x509v3.h
++++ b/Cryptlib/Include/openssl/x509v3.h
+@@ -136,7 +136,7 @@ typedef struct GENERAL_NAME_st {
+         OTHERNAME *otherName;   /* otherName */
+         ASN1_IA5STRING *rfc822Name;
+         ASN1_IA5STRING *dNSName;
+-        ASN1_TYPE *x400Address;
++        ASN1_STRING *x400Address;
+         X509_NAME *directoryName;
+         EDIPARTYNAME *ediPartyName;
+         ASN1_IA5STRING *uniformResourceIdentifier;
diff --git a/shim.spec b/shim.spec
index 5dce403cfbb8b90c0d6034584b4fe08c798c608a..b6225ef313d05538addc85f8fc7870323d406db1 100644
--- a/shim.spec
+++ b/shim.spec
@@ -22,7 +22,7 @@
 
 Name:		shim
 Version:	15
-Release:        25
+Release:        26
 Summary:	First-stage UEFI bootloader
 ExclusiveArch:  x86_64 aarch64
 License:	BSD
@@ -53,6 +53,7 @@ Patch18:       backport-CVE-2021-23840.patch
 Patch19:       backport-CVE-2021-23841.patch
 Patch20:       backport-CVE-2022-0778.patch
 Patch21:       backport-CVE-2021-3712.patch
+Patch22:       backport-CVE-2023-0286.patch
 
 BuildRequires:	elfutils-libelf-devel openssl-devel openssl git pesign gnu-efi gnu-efi-devel gcc
 Requires:       dbxtool efi-filesystem mokutil
@@ -151,6 +152,9 @@ cd ..
 /usr/src/debug/%{name}-%{version}-%{release}/*
 
 %changelog
+* Tue Feb 14 2023 jinlun <jinlun@huawei.com> - 15-26
+- fix CVE-2023-0286
+
 * Tue Dec 13 2022 jinlun <jinlun@huawei.com> - 15-25
 - add edition number