diff --git a/backport-CVE-2020-26572-prevent-out-of-bounds-write.patch b/backport-CVE-2020-26572-prevent-out-of-bounds-write.patch
new file mode 100644
index 0000000000000000000000000000000000000000..0c73a1f23a535e181574cf3238a75430908b7310
--- /dev/null
+++ b/backport-CVE-2020-26572-prevent-out-of-bounds-write.patch
@@ -0,0 +1,23 @@
+From 9d294de90d1cc66956389856e60b6944b27b4817 Mon Sep 17 00:00:00 2001
+From: Frank Morgner <frankmorgner@gmail.com>
+Date: Thu, 4 Jun 2020 10:04:10 +0200
+Subject: [PATCH] prevent out of bounds write
+
+fixes https://oss-fuzz.com/testcase-detail/5226571123392512
+---
+ src/libopensc/card-tcos.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/libopensc/card-tcos.c b/src/libopensc/card-tcos.c
+index 673c2493dd..e88c80bd79 100644
+--- a/src/libopensc/card-tcos.c
++++ b/src/libopensc/card-tcos.c
+@@ -623,6 +623,8 @@ static int tcos_decipher(sc_card_t *card, const u8 * crgram, size_t crgram_len,
+ 	apdu.data = sbuf;
+ 	apdu.lc = apdu.datalen = crgram_len+1;
+ 	sbuf[0] = tcos3 ? 0x00 : ((data->pad_flags & SC_ALGORITHM_RSA_PAD_PKCS1) ? 0x81 : 0x02);
++	if (sizeof sbuf - 1 < crgram_len)
++		return SC_ERROR_INVALID_ARGUMENTS;
+ 	memcpy(sbuf+1, crgram, crgram_len);
+ 
+ 	r = sc_transmit_apdu(card, &apdu);
diff --git a/opensc.spec b/opensc.spec
index a8048c501d98fd20287eed955b7eba1019d3e7dd..ae33e3afdb8bbc924c35c14d52636d8e2a55d0a2 100644
--- a/opensc.spec
+++ b/opensc.spec
@@ -3,7 +3,7 @@
 
 Name:            opensc
 Version:         0.20.0
-Release:         5
+Release:         6
 License:         LGPLv2.1+
 Summary:         Smart card library and applications
 URL:             https://github.com/OpenSC/OpenSC/wiki
@@ -12,6 +12,7 @@ Source0:         https://github.com/OpenSC/OpenSC/releases/download/%{version}/%
 Patch0:          myeid-fixed-memory-leak.patch
 Patch1:          backport-CVE-2020-26570-Heap-buffer-overflow-WRITE.patch
 Patch2:          backport-CVE-2020-26571-fixed-invalid-read.patch
+Patch3:          backport-CVE-2020-26572-prevent-out-of-bounds-write.patch
 
 BuildRequires:   openssl-devel pcsc-lite-devel bash-completion docbook-style-xsl readline-devel
 BuildRequires:   desktop-file-utils /usr/bin/xsltproc autoconf automake libtool gcc
@@ -135,6 +136,9 @@ make check
 %{_sysconfdir}/xdg/autostart/pkcs11-register.desktop
 
 %changelog
+* Wed Feb 3 2021 Hugel <gengqihu1@huawei.com> - 0.20.0-6
+- fix CVE-2020-26572
+
 * Sat Jan 23 2021 zoulin <zoulin13@huawei.com> - 0.20.0-5
 - fix CVE-2020-26571