diff --git a/0046-FIPS-s390x-hardening.patch b/0046-FIPS-s390x-hardening.patch
new file mode 100644
index 0000000..f79abf9
--- /dev/null
+++ b/0046-FIPS-s390x-hardening.patch
@@ -0,0 +1,22 @@
+diff --git a/crypto/ec/ecp_s390x_nistp.c b/crypto/ec/ecp_s390x_nistp.c
+index 5c70b2d67840..c5726c638bdd 100644
+--- a/crypto/ec/ecp_s390x_nistp.c
++++ b/crypto/ec/ecp_s390x_nistp.c
+@@ -116,7 +116,7 @@ static int ec_GFp_s390x_nistp_mul(const EC_GROUP *group, EC_POINT *r,
+     /* Otherwise use default. */
+     if (rc == -1)
+         rc = ossl_ec_wNAF_mul(group, r, scalar, num, points, scalars, ctx);
+-    OPENSSL_cleanse(param + S390X_OFF_SCALAR(len), len);
++    OPENSSL_cleanse(param, sizeof(param));
+     BN_CTX_end(ctx);
+     BN_CTX_free(new_ctx);
+     return rc;
+@@ -212,7 +212,7 @@ static ECDSA_SIG *ecdsa_s390x_nistp_sign_sig(const unsigned char *dgst,
+ 
+     ok = 1;
+ ret:
+-    OPENSSL_cleanse(param + S390X_OFF_K(len), 2 * len);
++    OPENSSL_cleanse(param, sizeof(param));
+     if (ok != 1) {
+         ECDSA_SIG_free(sig);
+         sig = NULL;
diff --git a/openssl.spec b/openssl.spec
index 9e8e3ab..fb2651e 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -15,7 +15,7 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 3.0.1
-Release: 4%{?dist}
+Release: 5%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -67,6 +67,8 @@ Patch34: 0034.fipsinstall_disable.patch
 Patch35: 0035-speed-skip-unavailable-dgst.patch
 # Minimize fips services
 Patch45: 0045-FIPS-services-minimize.patch
+# Backport of s390x hardening, https://github.com/openssl/openssl/pull/17486
+Patch46: 0046-FIPS-s390x-hardening.patch
 # Execute KATS before HMAC verification
 Patch47: 0047-FIPS-early-KATS.patch
 
@@ -396,6 +398,10 @@ install -m644 %{SOURCE9} \
 %ldconfig_scriptlets libs
 
 %changelog
+* Wed Jan 26 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-5
+- On the s390x, zeroize all the copies of TLS premaster secret
+- Related: rhbz#2040448
+
 * Fri Jan 21 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-4
 - rebuilt