diff --git a/CVE-2024-11596.patch b/CVE-2024-11596.patch
new file mode 100644
index 0000000000000000000000000000000000000000..552f7fb738301060122585be5454309aa494afff
--- /dev/null
+++ b/CVE-2024-11596.patch
@@ -0,0 +1,166 @@
+From 06e0b0bb0925fe4b99cfb7243cce473031b09dee Mon Sep 17 00:00:00 2001
+From: Gerald Combs <gerald@wireshark.org>
+Date: Thu, 14 Nov 2024 10:56:37 -0800
+Subject: [PATCH] ECMP: Exorcise a string buffer arithmetic gremlin
+
+Use a wmem_strbuf instead of manually allocating a string and managing
+its offsets.
+
+Avoid appending a dangling space to our string.
+
+Fixes #20214
+
+(cherry picked from commit c8e58870733f88f275ca9a6fa115ed085f987d94)
+
+Conflicts:
+	epan/dissectors/packet-ecmp.c
+
+Origin: https://gitlab.com/wireshark/wireshark/-/commit/06e0b0bb0925fe4b99cfb7243cce473031b09dee
+---
+ epan/dissectors/packet-ecmp.c | 77 ++++++++---------------------------
+ 1 file changed, 16 insertions(+), 61 deletions(-)
+
+diff --git a/epan/dissectors/packet-ecmp.c b/epan/dissectors/packet-ecmp.c
+index 578e5ec..7327f06 100644
+--- a/epan/dissectors/packet-ecmp.c
++++ b/epan/dissectors/packet-ecmp.c
+@@ -1122,72 +1122,54 @@ static int display_raw_cyclic_data(guint8 display, int offset, guint16 buffer_si
+ 		proto_tree_add_bytes_format_value(ecmp_current_tree, hf_ecmp_cyclic_data, tvb, offset-1, 0, NULL, "No data");
+ 	} else {
+ 		/* define some variables  */
+-		gchar*		pdata = NULL; /* pointer to array that stores the formatted data string */
+-		guint16		idx = 0; /* counts through formatted string array */
+-		guint8		value8 = 0; /* placeholder for extracted 8-bit data */
+-		guint16		value16 = 0; /* placeholder for extracted 16-bit data */
+-		guint32		value32 = 0; /* placeholder for extracted 32-bit data */
++		wmem_strbuf_t*	pdata = wmem_strbuf_create(wmem_packet_scope()); /* formatted data string */
+ 		guint16		num_elements_total = 0; /* contains total number of elements (byte/word/long) to be processed  */
+ 		const guint16	num_byte_elements_per_line = 16; /* number of byte (8-bit) elements per line e.g.  "1B " (3 chars per element)  */
+ 		const guint16	num_word_elements_per_line = 16; /* number of word (16-bit) elements per line e.g.  "A81B " (5 chars per element) */
+ 		const guint16	num_long_elements_per_line = 8; /* number of long (32-bit) elements per line e.g.  "01F4A81B " (9 chars per element) */
+ 		guint16		num_elements_per_line = 8; /* counts the current number of elements per line */
+ 		guint16		num_elements = 0; /* counts the number of elements in the format string */
+-		guint16		format_string_size = 0; /* size of dynamic array to hold the formatted string */
+ 		guint16		a = 0; /* value used for looping */
+ 		int		start_offset, line_offset;
+ 
+-		/* calculate format string array size and other stuff                               */
+-		/*                                                                                  */
+-		/* Note: format string does require a nul-terminator (the + 1 in the equations)     */
+-		/*                                                                                  */
+-		/* display = 0:  (byte format  "1D 24 3F ... A3 "                                   */
+-		/*      format_string_size = (num_byte_elements_per_line * 3) + 1                   */
+-		/*                                                                                  */
+-		/* display = 1:  (word format  "1D24 3F84 120B ... 1FA3 "                           */
+-		/*      format_string_size = (num_word_elements_per_line * 5) + 1                   */
+-		/*                                                                                  */
+-		/* display = 2:  (byte format  "1D243F84 9BC08F20 ... 28BB1FA3 "                    */
+-		/*      format_string_size = (num_long_elements_per_line * 9) + 1                   */
++		/* calculate number of elements                                                     */
+ 		/*                                                                                  */
+ 		if (display == cyclic_display_byte_format) {
+-			format_string_size = (num_byte_elements_per_line * 3) + 1; /* format_string_size = 49  */
+ 			num_elements_per_line = num_byte_elements_per_line; /* num_elements_per_line = 16  */
+ 			num_elements_total = buffer_size;
+ 		} else if (display == cyclic_display_word_format) {
+-			format_string_size = (num_word_elements_per_line * 5) + 1; /* format_string_size = 81  */
+ 			num_elements_per_line = num_word_elements_per_line; /* num_elements_per_line = 16  */
+ 			num_elements_total = buffer_size >> 1;
+ 		} else if (display == cyclic_display_long_format) {
+-			format_string_size = (num_long_elements_per_line * 9) + 1; /* format_string_size = 73  */
+ 			num_elements_per_line = num_long_elements_per_line; /* num_elements_per_line = 8  */
+ 			num_elements_total = buffer_size >> 2;
+ 		} else {
+-			format_string_size = (num_byte_elements_per_line * 3) + 1; /* format_string_size = 49  */
+ 			num_elements_per_line = num_byte_elements_per_line; /* num_elements_per_line = 16  */
+ 			num_elements_total = buffer_size;
+ 		}
+ 
+-		/* allocate dynamic memory for one line  */
+-		pdata = (gchar *)wmem_alloc(wmem_packet_scope(), format_string_size);
+-
+ 		/* OK, let's get started */
+-		idx = 0;
+ 		num_elements = 0;
+ 
+ 		line_offset = start_offset = offset;
+ 		/* work through the display elements, 1 byte\word\long at a time  */
+-		for (a = 0; a < num_elements_total; a++ )
+-			{
++		for (a = 0; a < num_elements_total; a++ ) {
++			if (wmem_strbuf_get_len(pdata) > 0) {
++				wmem_strbuf_append_c(pdata, ' ');
++			}
++
+ 			/* use Wireshark accessor function to get the next byte, word, or long data  */
+ 			if (display == cyclic_display_byte_format) {
+-				value8 = tvb_get_guint8(tvb, offset);
++				guint8 value8 = tvb_get_guint8(tvb, offset);
++				wmem_strbuf_append_printf(pdata, "%02x", value8);
+ 				offset++;
+ 			} else if (display == cyclic_display_word_format) {
+-				value16 = tvb_get_ntohs(tvb, offset);
++				guint16 value16 = tvb_get_ntohs(tvb, offset);
++				wmem_strbuf_append_printf(pdata, "%04x", value16);
+ 				offset += 2;
+ 			} else if (display == cyclic_display_long_format) {
+-				value32 = tvb_get_ntohl(tvb, offset);
++				guint32 value32 = tvb_get_ntohl(tvb, offset);
++				wmem_strbuf_append_printf(pdata, "%08x", value32);
+ 				offset += 4;
+ 			}
+ 
+@@ -1196,47 +1178,20 @@ static int display_raw_cyclic_data(guint8 display, int offset, guint16 buffer_si
+ 
+ 			/* check if we hit the max number of byte elements per line  */
+ 			if (num_elements >= num_elements_per_line) {
+-				/* we hit end of the current line  */
+-				/* add final value to string */
+-				if (display == cyclic_display_byte_format) {
+-					g_snprintf(&pdata[idx], 32, "%02x",value8);
+-				} else if (display == cyclic_display_word_format) {
+-						g_snprintf(&pdata[idx], 32, "%04x",value16);
+-				} else if (display == cyclic_display_long_format) {
+-					g_snprintf(&pdata[idx], 32, "%08x",value32);
+-				}
+-
+ 				/* display the completed line in the sub-tree  */
+-				proto_tree_add_bytes_format(ecmp_current_tree, hf_ecmp_cyclic_data, tvb, offset, offset-line_offset, NULL, "%s", pdata);
++				proto_tree_add_bytes_format(ecmp_current_tree, hf_ecmp_cyclic_data, tvb, offset, offset-line_offset, NULL, "%s", wmem_strbuf_get_str(pdata));
+ 
+ 				/* start the line over */
+-				idx = 0;
++				wmem_strbuf_truncate(pdata, 0);
+ 				num_elements = 0;
+ 				line_offset = offset;
+-
+-			} else {
+-				/* we're still adding to the current line  */
+-				/* add current value to string */
+-				if (display == cyclic_display_byte_format) {
+-					g_snprintf(&pdata[idx], 32, "%02x ",value8);
+-					idx += 3;
+-				} else if (display == cyclic_display_word_format) {
+-					g_snprintf(&pdata[idx], 32, "%04x ",value16);
+-					idx += 5;
+-				} else if (display == cyclic_display_long_format) {
+-					g_snprintf(&pdata[idx], 32, "%08x ",value32);
+-					idx += 9;
+-				}
+ 			}
+ 		}
+ 
+ 		/* if we exited the loop, see if there's a partial line to display  */
+ 		if (num_elements > 0) {
+-			/* add null-terminator to partial line  */
+-			pdata[idx] = 0x00;
+-
+ 			/* display the partial line in the sub-tree  */
+-			proto_tree_add_bytes_format(ecmp_current_tree, hf_ecmp_cyclic_data, tvb, start_offset, offset-start_offset, NULL, "%s", pdata);
++			proto_tree_add_bytes_format(ecmp_current_tree, hf_ecmp_cyclic_data, tvb, start_offset, offset-start_offset, NULL, "%s", wmem_strbuf_get_str(pdata));
+ 		}
+ 	}
+ 	return offset;
+-- 
+2.47.0
+
diff --git a/wireshark.spec b/wireshark.spec
index 1ad9fd1096a9ca176de630e4d0e5402d94b4a1e8..075f08958aea476f09e78af408873b44beb0bfbb 100644
--- a/wireshark.spec
+++ b/wireshark.spec
@@ -5,7 +5,7 @@
 Summary:	Network traffic analyzer
 Name:		wireshark
 Version:	3.6.14
-Release:	12
+Release:	13
 Epoch:		1
 License:	GPL+
 Url:		http://www.wireshark.org/
@@ -41,6 +41,7 @@ Patch22:        CVE-2024-4855.patch
 Patch23:        CVE-2024-8250.patch
 Patch24:        CVE-2024-24476.patch
 Patch25:        CVE-2024-8645.patch
+Patch26:        CVE-2024-11596.patch
 
 Requires:	xdg-utils
 Requires:	hicolor-icon-theme
@@ -215,6 +216,9 @@ exit 0
 %{_mandir}/man?/*
 
 %changelog
+* Tue Nov 26 2024 yaoxin <yao_xin001@hoperun.com> - 1:3.6.14-13
+- Fix CVE-2024-11596
+
 * Wed Oct 09 2024 yaoxin <yao_xin001@hoperun.com> - 1:3.6.14-12
 - Fix CVE-2024-8645