diff --git a/CVE-2022-4132.patch b/CVE-2022-4132.patch
new file mode 100644
index 0000000000000000000000000000000000000000..c53bf2d6e72fc4bfad5427ac8b68f87b6ab25eb1
--- /dev/null
+++ b/CVE-2022-4132.patch
@@ -0,0 +1,41 @@
+From bc8e2e6a37922cd15ef39e7e9c194b0dcbea8aa6 Mon Sep 17 00:00:00 2001
+From: Marco Fargetta <mfargett@redhat.com>
+Date: Thu, 25 May 2023 18:22:21 +0200
+Subject: [PATCH] Fix OoM in JSSEngineReferenceImpl object
+
+If TLS connection is terminated by the server with a `close_notify`
+tomcat will call the `closeOutbound()` method but the `closeInbound()`
+is never called so the cleanup cannot be done at the end.
+
+It is possible to test the problem with a tomcat instance. If the option
+`-H 'Connection: close'` is present only the `closeoutbound()` is called.
+
+Origin: https://github.com/dogtagpki/jss/commit/bc8e2e6a37922cd15ef39e7e9c194b0dcbea8aa6
+---
+ .../org/mozilla/jss/ssl/javax/JSSEngineReferenceImpl.java   | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/main/java/org/mozilla/jss/ssl/javax/JSSEngineReferenceImpl.java b/src/main/java/org/mozilla/jss/ssl/javax/JSSEngineReferenceImpl.java
+index 1f0e10b31..cdd65f7ad 100644
+--- a/src/main/java/org/mozilla/jss/ssl/javax/JSSEngineReferenceImpl.java
++++ b/src/main/java/org/mozilla/jss/ssl/javax/JSSEngineReferenceImpl.java
+@@ -1588,6 +1588,11 @@ public SSLEngineResult wrap(ByteBuffer[] srcs, int offset, int length, ByteBuffe
+         if (is_outbound_closed) {
+             debug("Socket is currently closed.");
+             handshake_status = SSLEngineResult.Status.CLOSED;
++            if(as_server) {
++                // If is_outbound_closed is true there is no need to wait
++                // for the receipt the peer's close_notify message.
++                closeInbound();
++            }
+         }
+ 
+         debug("JSSEngine.wrap() - Finished");
+@@ -1699,7 +1704,6 @@ protected void finalize() {
+         cleanup();
+     }
+ 
+-
+     private class CertValidationTask extends CertAuthHandler {
+         public CertValidationTask(SSLFDProxy fd) {
+             super(fd);
diff --git a/jss.spec b/jss.spec
index 1d99ecff58309b29bf4ffcf4c86ec9e581a72796..d0d14affbb5a7765c2e702d86699783c59198685 100644
--- a/jss.spec
+++ b/jss.spec
@@ -3,9 +3,11 @@ Summary:       Java Security Services
 URL:           http://www.dogtagpki.org/wiki/JSS
 License:       MPLv1.1 or GPLv2+ or LGPLv2+
 Version:       4.9.3
-Release:       1
+Release:       2
 Source:        https://github.com/dogtagpki/jss/archive/v%{version}/jss-%{version}.tar.gz
 
+Patch0:        CVE-2022-4132.patch
+
 BuildRequires: make cmake gcc-c++ nspr-devel >= 4.13.1 nss-devel >= 3.44 nss-tools >= 3.44 java-devel
 BuildRequires: jpackage-utils slf4j glassfish-jaxb-api slf4j-jdk14 apache-commons-lang apache-commons-codec
 BuildRequires: junit apache-commons-lang3
@@ -78,6 +80,9 @@ cp -rp build/docs/* jss.html *.txt $RPM_BUILD_ROOT%{_javadocdir}/jss-%{version}
 %{_javadocdir}/jss-%{version}/
 
 %changelog
+* Mon Feb 17 2025 yaoxin <1024769339@qq.com> - 4.9.3-2
+- Fix CVE-2022-4132
+
 * Mon Feb 19 2024 yaoxin <yao_xin001@hoperun.com> - 4.9.3-1
 - Upgrade to 4.9.3 for fix CVE-2021-4213