diff --git a/backport-CVE-2022-49737.patch b/backport-CVE-2022-49737.patch
new file mode 100644
index 0000000000000000000000000000000000000000..9b0363e5c6e3e0325b44fcd813a495259ceecfc2
--- /dev/null
+++ b/backport-CVE-2022-49737.patch
@@ -0,0 +1,33 @@
+From 350ce9f0aff0278b6d3ad70415a11ff33b09afdf Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Fri, 18 Apr 2025 10:17:34 +0800
+Subject: [PATCH] backport-CVE-2022-49737
+
+---
+ dix/devices.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/dix/devices.c b/dix/devices.c
+index 0b3e7c4..7f0e741 100644
+--- a/dix/devices.c
++++ b/dix/devices.c
+@@ -2646,6 +2646,8 @@ AttachDevice(ClientPtr client, DeviceIntPtr dev, DeviceIntPtr master)
+     if (IsFloating(dev) && !master && dev->enabled)
+         return Success;
+ 
++    input_lock();
++
+     /* free the existing sprite. */
+     if (IsFloating(dev) && dev->spriteInfo->paired == dev) {
+         screen = miPointerGetScreen(dev);
+@@ -2686,6 +2688,7 @@ AttachDevice(ClientPtr client, DeviceIntPtr dev, DeviceIntPtr master)
+         RecalculateMasterButtons(master);
+     }
+ 
++    input_unlock();
+     /* XXX: in theory, the MD should change back to its old, original
+      * classes when the last SD is detached. Thanks to the XTEST devices,
+      * we'll always have an SD attached until the MD is removed.
+-- 
+2.33.0
+
diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec
index 24a717e41f603ba976b991e0c8c7cf685eed5a6c..032f425560d73584570c0c4d11caf58d4c0bb4ab 100644
--- a/xorg-x11-server.spec
+++ b/xorg-x11-server.spec
@@ -16,7 +16,7 @@
 
 Name:           xorg-x11-server
 Version:        1.20.11
-Release:        37
+Release:        38
 Summary:        X.Org X11 X server
 License:        MIT and GPLv2
 URL:            https://www.x.org
@@ -140,6 +140,7 @@ Patch6053: backport-CVE-2025-26598.patch
 Patch6054: backport-CVE-2025-26599.patch
 Patch6055: backport-CVE-2025-26600.patch
 Patch6056: backport-CVE-2025-26601.patch
+Patch6057: backport-CVE-2022-49737.patch
 
 BuildRequires:  audit-libs-devel autoconf automake bison dbus-devel flex git gcc 
 BuildRequires:  systemtap-sdt-devel libtool pkgconfig 
@@ -481,6 +482,9 @@ find %{inst_srcdir}/hw/xfree86 -name \*.c -delete
 %{_mandir}/man*/*
 
 %changelog
+* Fri Apr 18 2025 maoyanping <maoyanping@xfusion.com> - 1.20.11-38
+- fix CVE-2022-49737
+
 * Sun Mar 09 2025 Funda Wang <fundawang@yeah.net> - 1.20.11-37
 - fix CVE-2025-26594, CVE-2025-26595, CVE-2025-26596,
   CVE-2025-26597, CVE-2025-26598, CVE-2025-26599