diff --git a/libtpms.spec b/libtpms.spec
index d5949da6820cf96dc998abe15c89110a1ccb422e..3fc31da331fe6bf7e7215e781d4b95df753ac8a3 100644
--- a/libtpms.spec
+++ b/libtpms.spec
@@ -6,7 +6,7 @@
 
 %define name      libtpms
 %define versionx  0.7.3
-%define release   4
+%define release   5
 
 # Valid crypto subsystems are 'freebl' and 'openssl'
 %if "%{?crypto_subsystem}" == ""
@@ -19,7 +19,7 @@
 Summary: Library providing Trusted Platform Module (TPM) functionality
 Name:           %{name}
 Version:        %{versionx}
-Release:        4
+Release:        5
 License:        BSD
 Group:          Development/Libraries
 Url:            http://github.com/stefanberger/libtpms
@@ -34,6 +34,8 @@ Patch4: tpm2-rev155-Add-new-RsaAdjustPrimeCandidate-code.patch
 Patch5: tpm2-Introduce-SEED_COMPAT_LEVEL_RSA_PRIME_ADJUST_FI.patch
 Patch6: tpm2-Pass-SEED_COMPAT_LEVEL-to-CryptAdjustPrimeCandi.patch
 Patch7: tpm2-Activate-SEED_COMPAT_LEVEL_RSA_PRIME_ADJUST_FIX.patch
+Patch8: tpm2-Initialize-a-whole-OBJECT-before-using-it.patch
+Patch9: tpm2-NVMarshal-Handle-index-orderly-RAM-without-0-si.patch
 
 %if "%{crypto_subsystem}" == "openssl"
 BuildRequires:  openssl-devel
@@ -126,6 +128,12 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/libtpms.la
 %postun -p /sbin/ldconfig
 
 %changelog
+* Wed Nov 10 2021 jiangfangjie <jiangfangjie@huawei.com> - 0.7.3-5
+-TYPE: CVE
+-ID:NA
+-ID:NA
+_DESC: fix CVE-2021-3746
+
 * Tue May 11 2021 jiangfangjie <jiangfangjie@huawei.com> - 0.7.3-4
 -TYPE: CVE
 -ID:NA
diff --git a/tpm2-Initialize-a-whole-OBJECT-before-using-it.patch b/tpm2-Initialize-a-whole-OBJECT-before-using-it.patch
new file mode 100644
index 0000000000000000000000000000000000000000..a012ceacb52969d41e93e217f89f171a237bb52a
--- /dev/null
+++ b/tpm2-Initialize-a-whole-OBJECT-before-using-it.patch
@@ -0,0 +1,34 @@
+From ea62fd9679f8c6fc5e79471b33cfbd8227bfed72 Mon Sep 17 00:00:00 2001
+From: Stefan Berger <stefanb@linux.vnet.ibm.com>
+Date: Thu, 22 Jul 2021 21:23:58 -0400
+Subject: [PATCH] tpm2: Initialize a whole OBJECT before using it
+
+Initialize a whole OBJECT before using it. This is necessary since
+an OBJECT may also be used as a HASH_OBJECT via the ANY_OBJECT
+union and that HASH_OBJECT can leave bad size inidicators in TPM2B
+buffer in the OBJECT. To get rid of this problem we reset the whole
+OBJECT to 0 before using it. This is as if the memory for the
+OBJECT was just initialized.
+
+Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
+---
+ src/tpm2/Object.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/tpm2/Object.c b/src/tpm2/Object.c
+index ab50348..967105f 100644
+--- a/src/tpm2/Object.c
++++ b/src/tpm2/Object.c
+@@ -284,7 +284,8 @@ FindEmptyObjectSlot(
+ 		    if(handle)
+ 			*handle = i + TRANSIENT_FIRST;
+ 		    // Initialize the object attributes
+-		    MemorySet(&object->attributes, 0, sizeof(OBJECT_ATTRIBUTES));
++		    // MemorySet(&object->attributes, 0, sizeof(OBJECT_ATTRIBUTES));
++		    MemorySet(object, 0, sizeof(*object)); // libtpms added: Initialize the whole object
+ 		    return object;
+ 		}
+ 	}
+-- 
+2.21.0.windows.1
+
diff --git a/tpm2-NVMarshal-Handle-index-orderly-RAM-without-0-si.patch b/tpm2-NVMarshal-Handle-index-orderly-RAM-without-0-si.patch
new file mode 100644
index 0000000000000000000000000000000000000000..6bf8f4fab7495ea6c74a8ce2f2c2a49f87f9b656
--- /dev/null
+++ b/tpm2-NVMarshal-Handle-index-orderly-RAM-without-0-si.patch
@@ -0,0 +1,56 @@
+From 1fb6cd9b8df05b5d6e381b31215193d6ada969df Mon Sep 17 00:00:00 2001
+From: Stefan Berger <stefanb@linux.vnet.ibm.com>
+Date: Fri, 23 Jul 2021 13:29:00 -0400
+Subject: [PATCH] tpm2: NVMarshal: Handle index orderly RAM without 0-sized
+ terminating node
+
+The NVRAM entries in s_indexOrderlyRam array do not need to contain a
+0-sized terminating node. Instead, the entries may fill up this 512
+byte array so that no NV_RAM_HEADER structure fits anymore. The fact
+that no more NV_RAM_HEADER structure fits is also an indicator for the
+last entry. We need to account for this in the code marshalling and
+unmarshalling the entries so that we stop marshalling the entries
+then and similarly stop unmarshalling.
+
+Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
+---
+ src/tpm2/NVMarshal.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/src/tpm2/NVMarshal.c b/src/tpm2/NVMarshal.c
+index 2b2d84a..430f481 100644
+--- a/src/tpm2/NVMarshal.c
++++ b/src/tpm2/NVMarshal.c
+@@ -4103,6 +4103,12 @@ INDEX_ORDERLY_RAM_Marshal(void *array, size_t array_size,
+                                      datasize, buffer, size);
+         }
+         offset += nrh.size;
++        if (offset + sizeof(NV_RAM_HEADER) > array_size) {
++            /* nothing will fit anymore and there won't be a 0-sized
++             * terminating node (@1).
++             */
++            break;
++        }
+     }
+ 
+     written += BLOCK_SKIP_WRITE_PUSH(TRUE, buffer, size);
+@@ -4144,6 +4150,16 @@ INDEX_ORDERLY_RAM_Unmarshal(void *array, size_t array_size,
+          */
+         nrhp = array + offset;
+ 
++        if (offset + sizeof(NV_RAM_HEADER) > sourceside_size) {
++            /* this case can occur with the previous entry filling up the
++             * space; in this case there will not be a 0-sized terminating
++             * node (see @1 above). We clear the rest of our space.
++             */
++            if (array_size > offset)
++                memset(nrhp, 0, array_size - offset);
++            break;
++        }
++
+         /* write the NVRAM header;
+            nrh->size holds the complete size including data;
+            nrh->size = 0 indicates the end */
+-- 
+2.21.0.windows.1
+