diff --git a/CVE-2022-38150.patch b/CVE-2022-38150.patch
new file mode 100644
index 0000000000000000000000000000000000000000..3a27c1aed8ec5b8b889e4a4f5ee4082da6753978
--- /dev/null
+++ b/CVE-2022-38150.patch
@@ -0,0 +1,64 @@
+From 16ebed1c34646852a881041eb49d559e4a17347e Mon Sep 17 00:00:00 2001
+From: root <root@localhost.localdomain>
+Date: Fri, 19 Aug 2022 17:40:18 +0800
+Subject: [PATCH] Changes to be committed: 	modified:  
+ bin/varnishd/cache/cache_http.c 	new file:  
+ bin/varnishtest/tests/r03830.vtc
+
+---
+ bin/varnishd/cache/cache_http.c  |  2 ++
+ bin/varnishtest/tests/r03830.vtc | 29 +++++++++++++++++++++++++++++
+ 2 files changed, 31 insertions(+)
+ create mode 100644 bin/varnishtest/tests/r03830.vtc
+
+diff --git a/bin/varnishd/cache/cache_http.c b/bin/varnishd/cache/cache_http.c
+index 09fce7d..d64b36a 100644
+--- a/bin/varnishd/cache/cache_http.c
++++ b/bin/varnishd/cache/cache_http.c
+@@ -900,6 +900,8 @@ http_isfiltered(const struct http *fm, unsigned u, unsigned how)
+ {
+ 	if (fm->hdf[u] & HDF_FILTER)
+ 		return (1);
++	if (u < HTTP_HDR_FIRST)
++		return (0);
+ #define HTTPH(a, b, c) \
+ 	if (((c) & how) && http_IsHdr(&fm->hd[u], (b))) \
+ 		return (1);
+diff --git a/bin/varnishtest/tests/r03830.vtc b/bin/varnishtest/tests/r03830.vtc
+new file mode 100644
+index 0000000..5155981
+--- /dev/null
++++ b/bin/varnishtest/tests/r03830.vtc
+@@ -0,0 +1,29 @@
++varnishtest "3830: Do not call http_hdr_flags() on pseudo-headers"
++
++server s1 {
++	rxreq
++	txresp -reason ":x"
++
++	rxreq
++	txresp
++} -start
++
++varnish v1 -vcl+backend {
++	sub vcl_recv {
++		return (hash);
++	}
++} -start
++
++client c1 {
++	txreq
++	rxresp
++	expect resp.status == 200
++} -run
++
++client c2 {
++	txreq -url :x -method :x
++	rxresp
++	expect resp.status == 200
++} -run
++
++varnish v1 -vsl_catchup
+-- 
+2.33.0
+
diff --git a/varnish.spec b/varnish.spec
index 9002e021da5ab592ca452cf252d2fafcd067e360..0e92ba38ca38e699a982ee358d6f76dd25f65857 100644
--- a/varnish.spec
+++ b/varnish.spec
@@ -1,13 +1,14 @@
 Name:             varnish
 Summary:          A web application accelerator
 Version:          6.6.2
-Release:          1
+Release:          2
 License:          BSD
 URL:              https://www.varnish-cache.org/
 Source0:          http://varnish-cache.org/_downloads/varnish-%{version}.tgz
 
 # https://github.com/varnishcache/pkg-varnish-cache
 Source1:          https://github.com/varnishcache/pkg-varnish-cache/archive/ec7ad9e6c6dd7c9b4f4ba60c5b223376908c3ca6/pkg-varnish-cache-ec7ad9e.tar.gz
+Patch1:           CVE-2022-38150.patch
 
 BuildRequires:    python3-sphinx python3-docutils pkgconfig make graphviz nghttp2 systemd-units
 BuildRequires:    ncurses-devel pcre-devel libedit-devel python3
@@ -155,6 +156,9 @@ test -f /etc/varnish/secret || (uuidgen > /etc/varnish/secret && chmod 0600 /etc
 %{_mandir}/man7/*.7*
 
 %changelog
+* Fri Aug 19 2022 jiangpeng<jiangpeng01@ncti-gba.cn> - 6.6.2-2
+- Fix CVE-2022-38150
+
 * Tue Apr 26 2022 yaoxin <yaoxin30@h-partners.com> - 6.6.2-1
 - Upgrade varnish to 6.6.2 for fix CVE-2022-23959
 
@@ -175,3 +179,4 @@ test -f /etc/varnish/secret || (uuidgen > /etc/varnish/secret && chmod 0600 /etc
 
 * Mon Feb 10 2020 wangye <wangye54@huawei.com> - 6.0.0-4
 - Init package
+