diff --git a/fix-cve-2023-40547-40548.patch b/fix-cve-2023-40547-40548.patch
new file mode 100644
index 0000000000000000000000000000000000000000..faed23020b27edf3c2b116e2ebed1c64116ac7f5
--- /dev/null
+++ b/fix-cve-2023-40547-40548.patch
@@ -0,0 +1,72 @@
+From 428c26a1fd3bf447db8db32abda1175465754e9c Mon Sep 17 00:00:00 2001
+From: Yang_X_Y <yangxinyu@nfschina.com>
+Date: Mon, 5 Aug 2024 11:26:14 +0800
+Subject: [PATCH] fix-cve-2023-40547/40548
+
+---
+ httpboot.c | 8 +++++++-
+ pe.c       | 6 +++++-
+ shim.c     | 6 ++++++
+ 3 files changed, 18 insertions(+), 2 deletions(-)
+
+diff --git a/httpboot.c b/httpboot.c
+index dfa493b..b34dd49 100644
+--- a/httpboot.c
++++ b/httpboot.c
+@@ -578,7 +578,13 @@ receive_http_response(EFI_HTTP_PROTOCOL *http, VOID **buffer, UINT64 *buf_size)
+ 	}
+ 
+ 	if (*buf_size == 0) {
+-		perror(L"Failed to get Content-Lenght\n");
++		perror(L"Failed to get Content-Length\n");
++		goto error;
++	}
++
++	if (*buf_size < rx_message.BodyLength) {
++		efi_status = EFI_BAD_BUFFER_SIZE;
++		perror(L"Invalid Content-Length\n");
+ 		goto error;
+ 	}
+ 
+diff --git a/pe.c b/pe.c
+index 9a3679e..5f1ab32 100644
+--- a/pe.c
++++ b/pe.c
+@@ -851,7 +851,11 @@ verify_sbat_section(char *SBATBase, size_t SBATSize)
+ 		return in_protocol ? EFI_SUCCESS : EFI_SECURITY_VIOLATION;
+ 	}
+ 
+-	sbat_size = SBATSize + 1;
++	if (checked_add((uint64_t)SBATSize, 1, &sbat_size)) {
++		dprint(L"SBATSize + 1 would overflow\n");
++		return EFI_SECURITY_VIOLATION;
++	}
++
+ 	sbat_data = AllocatePool(sbat_size);
+ 	if (!sbat_data) {
+ 		console_print(L"Failed to allocate .sbat section buffer\n");
+diff --git a/shim.c b/shim.c
+index 4437898..6cbcc54 100644
+--- a/shim.c
++++ b/shim.c
+@@ -731,11 +731,17 @@ verify_buffer_sbat (char *data, int datasize,
+ 		 * and ignore the section if it isn't. */
+ 		if (Section->SizeOfRawData &&
+ 		    Section->SizeOfRawData >= Section->Misc.VirtualSize) {
++			uint64_t boundary;
+ 			SBATBase = ImageAddress(data, datasize,
+ 						Section->PointerToRawData);
+ 			SBATSize = Section->SizeOfRawData;
+ 			dprint(L"sbat section base:0x%lx size:0x%lx\n",
+ 			       SBATBase, SBATSize);
++			if (checked_add((uint64_t)SBATBase, SBATSize, &boundary) ||
++			    (boundary > (uint64_t)data + datasize)) {
++				perror(L"Section exceeds bounds of image\n");
++				return EFI_UNSUPPORTED;
++			}
+ 		}
+ 	}
+ 
+-- 
+2.33.0
+
diff --git a/shim.spec b/shim.spec
index 50ac22422c1ff6fc8ce62730003c2987cd86b3fe..fd212213d8b2d052653ee58091381fc3f1437ffd 100644
--- a/shim.spec
+++ b/shim.spec
@@ -1,4 +1,4 @@
-%define anolis_release 2
+%define anolis_release 3
 
 %global grub_version 2.06
 %global fwupd_version 1.5.8
@@ -35,6 +35,10 @@ Source100:      shim-find-debuginfo.sh
 
 Patch0001:      0001-aarch64-Keep-_relocate-from-being-dirtied-by-_reloca.patch
 
+#https://github.com/rhboot/shim/commit/0226b56513b2b8bd5fd281bce77c40c9bf07c66d 
+#https://github.com/rhboot/shim/commit/96dccc255b16e9465dbee50b3cef6b3db74d11c8
+Patch0002:      fix-cve-2023-40547-40548.patch
+
 BuildRequires:  efi-filesystem
 BuildRequires:  efi-srpm-macros >= 5
 BuildRequires:  gcc make dos2unix findutils git pesign
@@ -161,6 +165,9 @@ install -m 0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/dnf/protected.d/
 %files debugsource -f build-%{efiarch}/debugsource.list
 
 %changelog
+* Mon Aug 05 2024 yangxinyu <yangxinyu@nfschina.com> - 15.7-3
+- fix-cve-2024-40547 40548
+
 * Thu Apr 13 2023 Chunmei Xu <xuchunmei@linux.alibaba.com> - 15.7-2
 - optimise spec file
 - replace shim-unsigned-x64/aa64