diff --git a/SOURCES/RHEL-32153-kBrotliBitMask-bounds.patch b/SOURCES/RHEL-32153-kBrotliBitMask-bounds.patch
new file mode 100644
index 0000000..b25cef9
--- /dev/null
+++ b/SOURCES/RHEL-32153-kBrotliBitMask-bounds.patch
@@ -0,0 +1,14 @@
+--- brotli-1.0.9/c/dec/bit_reader.h.RHEL-32153-kBrotliBitMask-bounds	2020-08-27 16:12:55.000000000 +0200
++++ brotli-1.0.9/c/dec/bit_reader.h	2024-09-11 12:42:29.143308077 +0200
+@@ -28,8 +28,10 @@ static BROTLI_INLINE uint32_t BitMask(ui
+     /* Masking with this expression turns to a single
+        "Unsigned Bit Field Extract" UBFX instruction on ARM. */
+     return ~((0xFFFFFFFFu) << n);
+-  } else {
++  } else if (n < 33) {
+     return kBrotliBitMask[n];
++  } else {
++    return 0;
+   }
+ }
+ 
diff --git a/SPECS/brotli.spec b/SPECS/brotli.spec
index bb3930f..6bc47f7 100644
--- a/SPECS/brotli.spec
+++ b/SPECS/brotli.spec
@@ -1,6 +1,6 @@
 Name:           brotli
 Version:        1.0.9
-Release:        6%{?dist}
+Release:        7%{?dist}
 Summary:        Lossless compression algorithm
 
 License:        MIT
@@ -8,6 +8,7 @@ URL:            https://github.com/google/brotli
 Source0:        %{url}/archive/v%{version}/%{name}-%{version}.tar.gz
 
 Patch0:        09b0992b6acb7faa6fd3b23f9bc036ea117230fc.patch
+Patch1:         RHEL-32153-kBrotliBitMask-bounds.patch
 
 %if 0%{?rhel} == 7
 BuildRequires:  devtoolset-7-toolchain, devtoolset-7-libatomic-devel
@@ -139,6 +140,9 @@ done
 
 
 %changelog
+* Wed Sep 11 2024 Eike Rathke <erack@redhat.com> - 1.0.9-7
+- Check BitMask(n) n value for kBrotliBitMask[n] bounds
+
 * Wed Mar 15 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 1.0.9-6
 - Rebuilt for MSVSphere 9.1.