diff --git a/openvswitch-CVE-2017-9264.patch b/openvswitch-CVE-2017-9264.patch
new file mode 100644
index 0000000..3ee1cc3
--- /dev/null
+++ b/openvswitch-CVE-2017-9264.patch
@@ -0,0 +1,65 @@
+From c562b61ed91605dc0c5790aaf2df09b566df77b6 Mon Sep 17 00:00:00 2001
+From: Ben Pfaff <blp@ovn.org>
+Date: Fri, 3 Mar 2017 21:16:17 -0800
+Subject: [PATCH] conntrack: Fix checks for TCP, UDP, and IPv6 header sizes.
+
+Otherwise a malformed packet could cause a read up to about 40 bytes past
+the end of the packet.  The packet would still likely be dropped because
+of checksum verification.
+
+Reported-by: Bhargava Shastry <bshastry@sec.t-labs.tu-berlin.de>
+Signed-off-by: Ben Pfaff <blp@ovn.org>
+Acked-by: Daniele Di Proietto <diproiettod@vmware.com>
+---
+ lib/conntrack.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/lib/conntrack.c b/lib/conntrack.c
+index 9bea3d93e4..677c0d2a3c 100644
+--- a/lib/conntrack.c
++++ b/lib/conntrack.c
+@@ -568,15 +568,15 @@ extract_l3_ipv6(struct conn_key *key, const void *data, size_t size,
+                 const char **new_data)
+ {
+     const struct ovs_16aligned_ip6_hdr *ip6 = data;
+-    uint8_t nw_proto = ip6->ip6_nxt;
+-    uint8_t nw_frag = 0;
+-
+     if (new_data) {
+         if (OVS_UNLIKELY(size < sizeof *ip6)) {
+             return false;
+         }
+     }
+ 
++    uint8_t nw_proto = ip6->ip6_nxt;
++    uint8_t nw_frag = 0;
++
+     data = ip6 + 1;
+     size -=  sizeof *ip6;
+ 
+@@ -623,8 +623,11 @@ check_l4_tcp(const struct conn_key *key, const void *data, size_t size,
+              const void *l3)
+ {
+     const struct tcp_header *tcp = data;
+-    size_t tcp_len = TCP_OFFSET(tcp->tcp_ctl) * 4;
++    if (size < sizeof *tcp) {
++        return false;
++    }
+ 
++    size_t tcp_len = TCP_OFFSET(tcp->tcp_ctl) * 4;
+     if (OVS_UNLIKELY(tcp_len < TCP_HEADER_LEN || tcp_len > size)) {
+         return false;
+     }
+@@ -637,8 +640,11 @@ check_l4_udp(const struct conn_key *key, const void *data, size_t size,
+              const void *l3)
+ {
+     const struct udp_header *udp = data;
+-    size_t udp_len = ntohs(udp->udp_len);
++    if (size < sizeof *udp) {
++        return false;
++    }
+ 
++    size_t udp_len = ntohs(udp->udp_len);
+     if (OVS_UNLIKELY(udp_len < UDP_HEADER_LEN || udp_len > size)) {
+         return false;
+     }
diff --git a/openvswitch.spec b/openvswitch.spec
index 40750a4..66a933c 100644
--- a/openvswitch.spec
+++ b/openvswitch.spec
@@ -30,7 +30,7 @@
 
 Name: openvswitch
 Version: 2.7.0
-Release: 4%{?snapshot}%{?dist}
+Release: 5%{?snapshot}%{?dist}
 Summary: Open vSwitch daemon/database/utilities
 
 # Nearly all of openvswitch is ASL 2.0.  The bugtool is LGPLv2+, and the
@@ -43,7 +43,9 @@ Source1: http://fast.dpdk.org/rel/dpdk-%{dpdkver}.tar.gz
 Source2: ovs-snapshot.sh
 
 Patch1: openvswitch-CVE-2017-9214.patch
-Patch2: tests-Export-PYTHONCOERCECLOCALE-0-for-python3-tests.patch
+Patch2: openvswitch-CVE-2017-9264.patch
+
+Patch10: tests-Export-PYTHONCOERCECLOCALE-0-for-python3-tests.patch
 
 %if %{with dpdk}
 %define dpdkarches x86_64 i686 aarch64 ppc64le
@@ -647,6 +649,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_unitdir}/ovn-controller-vtep.service
 
 %changelog
+* Tue Jun 13 2017 Timothy Redaelli <tredaelli@redhat.com> - 2.7.0-5
+- Backport fix for CVE-2017-9264 (#1457329)
+
 * Wed Jun 07 2017 Timothy Redaelli <tredaelli@redhat.com> - 2.7.0-4
 - Remove PYTHONCOERCECLOCALE=0 workaround and backport upstream patch (#1454364)