diff --git a/CVE-2023-39456.patch b/CVE-2023-39456.patch
new file mode 100644
index 0000000000000000000000000000000000000000..3253f2b788998da398c8d884b24038b579117cd8
--- /dev/null
+++ b/CVE-2023-39456.patch
@@ -0,0 +1,29 @@
+From 4ca137b59bc6aaa25f8b14db2bdd2e72c43502e5 Mon Sep 17 00:00:00 2001
+From: Masakazu Kitajo <maskit@apache.org>
+Date: Tue, 10 Oct 2023 00:33:06 +0900
+Subject: [PATCH] Reallocate a buffer for H2 header block only if needed
+ (#10568)
+
+Co-authored-by: Bryan Call <bcall@apache.org>
+(cherry picked from commit 65dd18632648e5441df115c4ed666af02e61d2d9)
+---
+ proxy/http2/Http2ConnectionState.cc | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/proxy/http2/Http2ConnectionState.cc b/proxy/http2/Http2ConnectionState.cc
+index 888fdc39b5d..dcfab9b6747 100644
+--- a/proxy/http2/Http2ConnectionState.cc
++++ b/proxy/http2/Http2ConnectionState.cc
+@@ -937,8 +937,10 @@ rcv_continuation_frame(Http2ConnectionState &cstate, const Http2Frame &frame)
+                       "header blocks too large");
+   }
+ 
+-  stream->header_blocks = static_cast<uint8_t *>(ats_realloc(stream->header_blocks, stream->header_blocks_length));
+-  frame.reader()->memcpy(stream->header_blocks + header_blocks_offset, payload_length);
++  if (payload_length > 0) {
++    stream->header_blocks = static_cast<uint8_t *>(ats_realloc(stream->header_blocks, stream->header_blocks_length));
++    frame.reader()->memcpy(stream->header_blocks + header_blocks_offset, payload_length);
++  }
+ 
+   if (frame.header().flags & HTTP2_FLAGS_HEADERS_END_HEADERS) {
+     // NOTE: If there are END_HEADERS flag, decode stored Header Blocks.
diff --git a/trafficserver.spec b/trafficserver.spec
index 19d0d3efc24b70ced8772fd2a4a40b881773b24b..ec15c583d762410c73a8eba1a81b83f6e36f0414 100644
--- a/trafficserver.spec
+++ b/trafficserver.spec
@@ -1,7 +1,7 @@
 %define _hardened_build 1
 Name:                trafficserver
 Version:             9.1.4
-Release:             2
+Release:             3
 Summary:             Apache Traffic Server, a reverse, forward and transparent HTTP proxy cache
 License:             Apache-2.0
 URL:                 https://trafficserver.apache.org/
@@ -15,6 +15,8 @@ Patch0004:           Modify-storage.config-for-traffic_cache_tool.patch
 Patch0005:           CVE-2022-47184.patch
 # https://github.com/apache/trafficserver/commit/726a79cb2f70fcbe0e2139aab3fe56930d3d8c27
 Patch0006:           CVE-2023-33933.patch
+# https://github.com/apache/trafficserver/commit/4ca137b59bc6aaa25f8b14db2bdd2e72c43502e5
+Patch0007:           CVE-2023-39456.patch
 BuildRequires:       expat-devel hwloc-devel openssl-devel pcre-devel zlib-devel xz-devel
 BuildRequires:       libcurl-devel ncurses-devel gcc gcc-c++ perl-ExtUtils-MakeMaker
 BuildRequires:       libcap-devel cmake libunwind-devel automake
@@ -117,6 +119,9 @@ getent passwd ats >/dev/null || useradd -r -u 176 -g ats -d / -s /sbin/nologin -
 %{_datadir}/pkgconfig/trafficserver.pc
 
 %changelog
+* Mon Jun 16 2025 yaoxin <1024769339@qq.com> - 9.1.4-3
+- Fix CVE-2023-39456
+
 * Tue Dec 19 2023 yaoxin <yao_xin001@hoperun.com> - 9.1.4-2
 - Fix CVE-2022-47184 and CVE-2023-33933