diff --git a/backport-CVE-2024-36387.patch b/backport-CVE-2024-36387.patch
new file mode 100644
index 0000000000000000000000000000000000000000..e85d7b22931aed3465b0467011b59b284e659a14
--- /dev/null
+++ b/backport-CVE-2024-36387.patch
@@ -0,0 +1,35 @@
+From 62aa64e5aea21dd969db97aded4443c98c0735ac Mon Sep 17 00:00:00 2001
+From: Eric Covener <covener@apache.org>
+Date: Mon, 24 Jun 2024 17:51:42 +0000
+Subject: [PATCH] Merge r1918548 from trunk:
+
+mod_http2: early exit if bb is null
+
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1918557 13f79535-47bb-0310-9956-ffa450edef68
+---
+ mod_http2/h2_c2.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/mod_http2/h2_c2.c b/mod_http2/h2_c2.c
+index a955200..c65a521 100644
+--- a/mod_http2/h2_c2.c
++++ b/mod_http2/h2_c2.c
+@@ -370,6 +370,13 @@ static apr_status_t h2_c2_filter_out(ap_filter_t* f, apr_bucket_brigade* bb)
+     h2_conn_ctx_t *conn_ctx = h2_conn_ctx_get(f->c);
+     apr_status_t rv;
+ 
++   if (bb == NULL) {
++#if !AP_MODULE_MAGIC_AT_LEAST(20180720, 1)
++        f->c->data_in_output_filters = 0;
++#endif
++        return APR_SUCCESS;
++    }
++
+     ap_assert(conn_ctx);
+ #if AP_HAS_RESPONSE_BUCKETS
+     if (!conn_ctx->has_final_response) {
+-- 
+2.33.0
+
diff --git a/mod_http2.spec b/mod_http2.spec
index 30e2fb165be5d382c5dd0e42b9d61b841619aabe..52053e746af79fc754ade6cbaff6387a2190175e 100644
--- a/mod_http2.spec
+++ b/mod_http2.spec
@@ -2,13 +2,14 @@
 
 Name:           mod_http2
 Version:        2.0.25
-Release:        2
+Release:        3
 Summary:        Support for the HTTP/2 transport layer
 License:        ASL 2.0
 URL:            https://icing.github.io/mod_h2/
 Source0:        https://github.com/icing/mod_h2/releases/download/v%{version}/%{name}-%{version}.tar.gz
 
 Patch0:         backport-CVE-2024-27316.patch
+Patch1:         backport-CVE-2024-36387.patch
 
 BuildRequires:  make gcc pkgconfig httpd-devel >= 2.4.20 libnghttp2-devel >= 1.7.0 openssl-devel >= 1.0.2 autoconf libtool hostname
 Requires:       httpd-mmn = %{_httpd_mmn}
@@ -50,6 +51,12 @@ make check
 %exclude /etc/httpd/share/doc/*
 
 %changelog
+* Mon Jul 08 2024 zhangxianting <zhangxianting@uniontech.com> - 2.0.25-3
+- Type:cves
+- CVE:CVE-2024-36387
+- SUG:NA
+- DESC:fix CVE-2024-36387
+
 * Sun Apr 07 2024 gaihuiying <eaglegai@163.com> - 2.0.25-2
 - Type:cves
 - CVE:CVE-2024-27316