diff --git a/0001-fix-CVE-2024-1753.patch b/0001-fix-CVE-2024-1753.patch
new file mode 100644
index 0000000000000000000000000000000000000000..1e1044362e52c7397b07fc2ee223c3bab35c8a4a
--- /dev/null
+++ b/0001-fix-CVE-2024-1753.patch
@@ -0,0 +1,37 @@
+From b1ac1972722409875a645beddd49eadc5ff026e2 Mon Sep 17 00:00:00 2001
+From: bwzhang <zhangbowei@kylinos.cn>
+Date: Thu, 11 Apr 2024 13:44:00 +0800
+Subject: [PATCH] fix CVE-2024-1753
+
+---
+ internal/parse/parse.go | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/internal/parse/parse.go b/internal/parse/parse.go
+index ec46382..0860858 100644
+--- a/internal/parse/parse.go
++++ b/internal/parse/parse.go
+@@ -8,6 +8,7 @@ import (
+ 	"strconv"
+ 	"strings"
+ 
++	"github.com/containers/buildah/copier"
+ 	"github.com/containers/buildah/internal"
+ 	internalUtil "github.com/containers/buildah/internal/util"
+ 	"github.com/containers/common/pkg/parse"
+@@ -151,7 +152,11 @@ func GetBindMount(ctx *types.SystemContext, args []string, contextDir string, st
+ 	// buildkit parity: support absolute path for sources from current build context
+ 	if contextDir != "" {
+ 		// path should be /contextDir/specified path
+-		newMount.Source = filepath.Join(contextDir, filepath.Clean(string(filepath.Separator)+newMount.Source))
++		evaluated, err := copier.Eval(contextDir, newMount.Source, copier.EvalOptions{})
++                if err != nil {
++                    return newMount, "", err
++                }
++                newMount.Source = evaluated
+ 	} else {
+ 		// looks like its coming from `build run --mount=type=bind` allow using absolute path
+ 		// error out if no source is set
+-- 
+2.20.1
+
diff --git a/buildah.spec b/buildah.spec
index 5f8eb5de7480f994b04d0432019a46aa8cf0291f..f79e917a3fbdb21a7024415def3b4062000e3344 100644
--- a/buildah.spec
+++ b/buildah.spec
@@ -25,12 +25,15 @@
 
 Name:           buildah
 Version:        1.26.1
-Release:        1
+Release:        2
 Summary:        A command line tool used for creating OCI Images
 License:        ASL 2.0 and BSD and MIT and MPLv2.0
 URL:            https://%{name}.io
 Source:         %{git0}/archive/v%{version}.tar.gz
 Source1:        https://github.com/cpuguy83/go-md2man/archive/v1.0.10.tar.gz
+
+Patch0001:      0001-fix-CVE-2024-1753.patch
+
 BuildRequires:  device-mapper-devel git-core golang >= 1.16.6 glib2-devel glibc-static gpgme-devel libassuan-devel
 BuildRequires:  make ostree-devel btrfs-progs-devel libseccomp-static
 Requires:       containers-common netavark iptables nftables libseccomp >= 2.4.1-0
@@ -79,7 +82,7 @@ or
 * delete a working container or an image
 
 %prep
-%autosetup -Sgit -n %{name}-%{version}
+%autosetup -Sgit -n %{name}-%{version} -p1
 tar -xf %SOURCE1
 
 %build
@@ -136,5 +139,11 @@ make DESTDIR=%{buildroot} PREFIX=%{_prefix} -C docs install
 %{_datadir}/bash-completion/completions/%{name}
 
 %changelog
+* Thu Apr 11 2024 zhangbowei <zhangbowei@kylinos.cn> - 1.26.1-2
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC: fix CVE-2024-1753
+
 * Mon Jun 20 2022 fushanqing <fushanqing@kylinos.cn> - 1.26.1-1
 - Initial package