diff --git a/.gitignore b/.gitignore
index f5dae2e..867245c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,5 @@
 SOURCES/qemu-6.2.0.tar.xz
+SOURCES/tests_data_acpi_pc_SSDT.dimmpxm
+SOURCES/tests_data_acpi_q35_FACP.slic
+SOURCES/tests_data_acpi_q35_SSDT.dimmpxm
+SOURCES/tests_data_acpi_virt_SSDT.memhp
diff --git a/.qemu-kvm.metadata b/.qemu-kvm.metadata
index 6f39e05..3cc4012 100644
--- a/.qemu-kvm.metadata
+++ b/.qemu-kvm.metadata
@@ -1 +1,5 @@
 68cd61a466170115b88817e2d52db2cd7a92f43a SOURCES/qemu-6.2.0.tar.xz
+c4b34092bc5af1ba7febfca1477320fb024e8acd SOURCES/tests_data_acpi_pc_SSDT.dimmpxm
+19349e3517143bd1af56a5444e927ba37a111f72 SOURCES/tests_data_acpi_q35_FACP.slic
+4632d10ae8cedad4d5d760ed211f83f0dc81005d SOURCES/tests_data_acpi_q35_SSDT.dimmpxm
+ef12eed43cc357fb134db6fa3c7ffc83e222a97d SOURCES/tests_data_acpi_virt_SSDT.memhp
diff --git a/SOURCES/kvm-io-remove-io-watch-if-TLS-channel-is-closed-during-h.patch b/SOURCES/kvm-io-remove-io-watch-if-TLS-channel-is-closed-during-h.patch
new file mode 100644
index 0000000..2460dda
--- /dev/null
+++ b/SOURCES/kvm-io-remove-io-watch-if-TLS-channel-is-closed-during-h.patch
@@ -0,0 +1,102 @@
+From 5282809c2c0c57228c4ce870dae413e84b09ebf6 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Tue, 15 Aug 2023 00:08:55 +0000
+Subject: [PATCH] io: remove io watch if TLS channel is closed during handshake
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 303: io: remove io watch if TLS channel is closed during handshake
+RH-Bugzilla: 2216510
+RH-Acked-by: Peter Xu <peterx@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Commit: [1/1] 40526f8952e752656662e11e935b1fc63a0c1061 (redhat/rhel/src/qemu-kvm/jons-qemu-kvm-2)
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2216510
+CVE: CVE-2023-3354
+Upstream: Merged
+
+commit 10be627d2b5ec2d6b3dce045144aa739eef678b4
+Author: Daniel P. Berrangé <berrange@redhat.com>
+Date:   Tue Jun 20 09:45:34 2023 +0100
+
+    io: remove io watch if TLS channel is closed during handshake
+
+    The TLS handshake make take some time to complete, during which time an
+    I/O watch might be registered with the main loop. If the owner of the
+    I/O channel invokes qio_channel_close() while the handshake is waiting
+    to continue the I/O watch must be removed. Failing to remove it will
+    later trigger the completion callback which the owner is not expecting
+    to receive. In the case of the VNC server, this results in a SEGV as
+    vnc_disconnect_start() tries to shutdown a client connection that is
+    already gone / NULL.
+
+    CVE-2023-3354
+    Reported-by: jiangyegen <jiangyegen@huawei.com>
+    Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ include/io/channel-tls.h |  1 +
+ io/channel-tls.c         | 18 ++++++++++++------
+ 2 files changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/include/io/channel-tls.h b/include/io/channel-tls.h
+index 5672479e9e..26c67f17e2 100644
+--- a/include/io/channel-tls.h
++++ b/include/io/channel-tls.h
+@@ -48,6 +48,7 @@ struct QIOChannelTLS {
+     QIOChannel *master;
+     QCryptoTLSSession *session;
+     QIOChannelShutdown shutdown;
++    guint hs_ioc_tag;
+ };
+ 
+ /**
+diff --git a/io/channel-tls.c b/io/channel-tls.c
+index c730cb8ec5..bd79e78837 100644
+--- a/io/channel-tls.c
++++ b/io/channel-tls.c
+@@ -195,12 +195,13 @@ static void qio_channel_tls_handshake_task(QIOChannelTLS *ioc,
+         }
+ 
+         trace_qio_channel_tls_handshake_pending(ioc, status);
+-        qio_channel_add_watch_full(ioc->master,
+-                                   condition,
+-                                   qio_channel_tls_handshake_io,
+-                                   data,
+-                                   NULL,
+-                                   context);
++        ioc->hs_ioc_tag =
++            qio_channel_add_watch_full(ioc->master,
++                                       condition,
++                                       qio_channel_tls_handshake_io,
++                                       data,
++                                       NULL,
++                                       context);
+     }
+ }
+ 
+@@ -215,6 +216,7 @@ static gboolean qio_channel_tls_handshake_io(QIOChannel *ioc,
+     QIOChannelTLS *tioc = QIO_CHANNEL_TLS(
+         qio_task_get_source(task));
+ 
++    tioc->hs_ioc_tag = 0;
+     g_free(data);
+     qio_channel_tls_handshake_task(tioc, task, context);
+ 
+@@ -375,6 +377,10 @@ static int qio_channel_tls_close(QIOChannel *ioc,
+ {
+     QIOChannelTLS *tioc = QIO_CHANNEL_TLS(ioc);
+ 
++    if (tioc->hs_ioc_tag) {
++        g_clear_handle_id(&tioc->hs_ioc_tag, g_source_remove);
++    }
++
+     return qio_channel_close(tioc->master, errp);
+ }
+ 
+-- 
+2.37.3
+
diff --git a/SOURCES/tests_data_acpi_pc_SSDT.dimmpxm b/SOURCES/tests_data_acpi_pc_SSDT.dimmpxm
deleted file mode 100644
index ac55387..0000000
Binary files a/SOURCES/tests_data_acpi_pc_SSDT.dimmpxm and /dev/null differ
diff --git a/SOURCES/tests_data_acpi_q35_FACP.slic b/SOURCES/tests_data_acpi_q35_FACP.slic
deleted file mode 100644
index 15986e0..0000000
Binary files a/SOURCES/tests_data_acpi_q35_FACP.slic and /dev/null differ
diff --git a/SOURCES/tests_data_acpi_q35_SSDT.dimmpxm b/SOURCES/tests_data_acpi_q35_SSDT.dimmpxm
deleted file mode 100644
index 98e6f0e..0000000
Binary files a/SOURCES/tests_data_acpi_q35_SSDT.dimmpxm and /dev/null differ
diff --git a/SOURCES/tests_data_acpi_virt_SSDT.memhp b/SOURCES/tests_data_acpi_virt_SSDT.memhp
deleted file mode 100644
index 375d7b6..0000000
Binary files a/SOURCES/tests_data_acpi_virt_SSDT.memhp and /dev/null differ
diff --git a/SPECS/qemu-kvm.spec b/SPECS/qemu-kvm.spec
index f01a9e8..1fddf9f 100644
--- a/SPECS/qemu-kvm.spec
+++ b/SPECS/qemu-kvm.spec
@@ -83,7 +83,7 @@ Obsoletes: %1-rhev <= %{epoch}:%{version}-%{release}
 Summary: QEMU is a machine emulator and virtualizer
 Name: qemu-kvm
 Version: 6.2.0
-Release: 32%{?rcrel}%{?dist}
+Release: 33%{?rcrel}%{?dist}
 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
 Epoch: 15
 License: GPLv2 and GPLv2+ and CC-BY
@@ -652,6 +652,8 @@ Patch255: kvm-scsi-protect-req-aiocb-with-AioContext-lock.patch
 Patch256: kvm-dma-helpers-prevent-dma_blk_cb-vs-dma_aio_cancel-rac.patch
 # For bz#2090990 - qemu crash with error scsi_req_unref(SCSIRequest *): Assertion `req->refcount > 0' failed or scsi_dma_complete(void *, int): Assertion `r->req.aiocb != NULL' failed [8.7.0]
 Patch257: kvm-virtio-scsi-reset-SCSI-devices-from-main-loop-thread.patch
+# For bz#2216510 - CVE-2023-3354 virt:rhel/qemu-kvm: QEMU: VNC: improper I/O watch removal in TLS handshake can lead to remote unauthenticated denial of service [rhel-8.8.0.z]
+Patch258: kvm-io-remove-io-watch-if-TLS-channel-is-closed-during-h.patch
 
 BuildRequires: wget
 BuildRequires: rpm-build
@@ -1824,6 +1826,11 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || :
 * Tue Dec 12 2023 MSVSphere Packaging Team <packager@msvsphere-os.ru> - 15:6.2.0-32
 - Rebuilt for MSVSphere 8.8
 
+* Fri Aug 25 2023 Jon Maloy <jmaloy@redhat.com> - 6.2.0-33.el8_8
+- kvm-io-remove-io-watch-if-TLS-channel-is-closed-during-h.patch [bz#2216510]
+- Resolves: bz#2216510
+  (CVE-2023-3354 virt:rhel/qemu-kvm: QEMU: VNC: improper I/O watch removal in TLS handshake can lead to remote unauthenticated denial of service [rhel-8.8.0.z])
+
 * Mon Mar 13 2023 Jon Maloy <jmaloy@redhat.com> - 6.2.0-32.el8_8
 - kvm-aio_wait_kick-add-missing-memory-barrier.patch [bz#2168472]
 - kvm-qatomic-add-smp_mb__before-after_rmw.patch [bz#2168472]