diff --git a/.at-spi2-atk.metadata b/.at-spi2-atk.metadata
index 5f00485..cd6b6e4 100644
--- a/.at-spi2-atk.metadata
+++ b/.at-spi2-atk.metadata
@@ -1 +1 @@
-39fd009dae262747ba5d448a0e08dfc8fac01f80 SOURCES/at-spi2-atk-2.14.1.tar.xz
+9896c6d8130ba167eba084fdf1cd47ed774be147 SOURCES/at-spi2-atk-2.22.0.tar.xz
diff --git a/.gitignore b/.gitignore
index 6543e60..b057aea 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/at-spi2-atk-2.14.1.tar.xz
+SOURCES/at-spi2-atk-2.22.0.tar.xz
diff --git a/SOURCES/0001-Fix-use-after-free-when-returned-objects-hold-only-o.patch b/SOURCES/0001-Fix-use-after-free-when-returned-objects-hold-only-o.patch
new file mode 100644
index 0000000..6b40c72
--- /dev/null
+++ b/SOURCES/0001-Fix-use-after-free-when-returned-objects-hold-only-o.patch
@@ -0,0 +1,91 @@
+From 66dd82116845addb08973d52e518db6e7ce5ff22 Mon Sep 17 00:00:00 2001
+From: Milan Crha <mcrha@redhat.com>
+Date: Mon, 8 May 2017 17:21:58 -0500
+Subject: [PATCH] Fix use after free when returned objects hold only one ref
+
+It seems that not all code expects atk_object_ref_accessible_child()
+returning NULL, neither that it can return an object with only one
+reference, thus the following unref in the code can cause use-after-free
+eventually.
+
+At least the chunk in impl_GetChildAtIndex() avoids runtime warning about
+invalid object being passed to g_object_unref(), which happened, in this
+case, when evolution returned NULL. Evolution returns objects with one
+reference only often, which tries to address the other chunks here.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=781716
+---
+ atk-adaptor/adaptors/accessible-adaptor.c |  3 ++-
+ atk-adaptor/adaptors/collection-adaptor.c | 16 ++++++++++++----
+ 2 files changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/atk-adaptor/adaptors/accessible-adaptor.c b/atk-adaptor/adaptors/accessible-adaptor.c
+index 058b116..572e4f8 100644
+--- a/atk-adaptor/adaptors/accessible-adaptor.c
++++ b/atk-adaptor/adaptors/accessible-adaptor.c
+@@ -182,7 +182,8 @@ impl_GetChildAtIndex (DBusConnection * bus,
+     }
+   child = atk_object_ref_accessible_child (object, i);
+   reply = spi_object_return_reference (message, child);
+-  g_object_unref (child);
++  if (child)
++    g_object_unref (child);
+ 
+   return reply;
+ }
+diff --git a/atk-adaptor/adaptors/collection-adaptor.c b/atk-adaptor/adaptors/collection-adaptor.c
+index 42ea073..b57c5f6 100644
+--- a/atk-adaptor/adaptors/collection-adaptor.c
++++ b/atk-adaptor/adaptors/collection-adaptor.c
+@@ -494,9 +494,12 @@ sort_order_canonical (MatchRulePrivate * mrp, GList * ls,
+     {
+       AtkObject *child = atk_object_ref_accessible_child (obj, i);
+ 
+-      g_object_unref (child);
++      if (!child)
++        continue;
++
+       if (prev && child == pobj)
+         {
++          g_object_unref (child);
+           return kount;
+         }
+ 
+@@ -517,6 +520,7 @@ sort_order_canonical (MatchRulePrivate * mrp, GList * ls,
+         kount = sort_order_canonical (mrp, ls, kount,
+                                       max, child, 0, TRUE,
+                                       pobj, recurse, traverse);
++      g_object_unref (child);
+     }
+   return kount;
+ }
+@@ -559,19 +563,23 @@ sort_order_rev_canonical (MatchRulePrivate * mrp, GList * ls,
+          and get it's last descendant.
+          First, get the previous sibling */
+       nextobj = atk_object_ref_accessible_child (parent, indexinparent - 1);
+-      g_object_unref (nextobj);
+ 
+       /* Now, drill down the right side to the last descendant */
+-      while (atk_object_get_n_accessible_children (nextobj) > 0)
++      while (nextobj && atk_object_get_n_accessible_children (nextobj) > 0)
+         {
+-          nextobj = atk_object_ref_accessible_child (nextobj,
++	  AtkObject *follow;
++
++          follow = atk_object_ref_accessible_child (nextobj,
+                                                      atk_object_get_n_accessible_children
+                                                      (nextobj) - 1);
+           g_object_unref (nextobj);
++	  nextobj = follow;
+         }
+       /* recurse with the last descendant */
+       kount = sort_order_rev_canonical (mrp, ls, kount, max,
+                                         nextobj, TRUE, pobj);
++      if (nextobj)
++	 g_object_unref (nextobj);
+     }
+   else if (max == 0 || kount < max)
+     {
+-- 
+2.9.3
+
diff --git a/SOURCES/0001-atk-adaptor-bridge-Fix-GList-handling-resulting-in-m.patch b/SOURCES/0001-atk-adaptor-bridge-Fix-GList-handling-resulting-in-m.patch
new file mode 100644
index 0000000..456dc2d
--- /dev/null
+++ b/SOURCES/0001-atk-adaptor-bridge-Fix-GList-handling-resulting-in-m.patch
@@ -0,0 +1,107 @@
+From 113d9c15ac9d1cc5f120d859d284ffb55f80d54e Mon Sep 17 00:00:00 2001
+From: Rui Matos <tiagomatos@gmail.com>
+Date: Mon, 24 Apr 2017 14:39:05 +0200
+Subject: [PATCH] atk-adaptor/bridge: Fix GList handling resulting in memory
+ corruption
+
+As pointed out by this valgrind log:
+
+==2809== Thread 1:
+==2809== Invalid write of size 8
+==2809==    at 0x18FCF001: remove_events (bridge.c:759)
+==2809==    by 0x18FCF001: handle_event_listener_deregistered (bridge.c:788)
+==2809==    by 0x18FCF001: signal_filter (bridge.c:827)
+==2809==    by 0x200ECDFD: dbus_connection_dispatch (dbus-connection.c:4631)
+==2809==    by 0x1FEBD0F4: ??? (in /usr/lib64/libatspi.so.0.0.1)
+==2809==    by 0xFD8D4C8: g_main_dispatch (gmain.c:3201)
+==2809==    by 0xFD8D4C8: g_main_context_dispatch (gmain.c:3854)
+==2809==    by 0xFD8D817: g_main_context_iterate.isra.21 (gmain.c:3927)
+==2809==    by 0xFD8DAE9: g_main_loop_run (gmain.c:4123)
+==2809==    by 0xDFF84B4: gtk_main (in /usr/lib64/libgtk-3.so.0.2200.10)
+==2809==    by 0x403DE0: main (in /usr/bin/evolution)
+==2809==  Address 0x29f22540 is 16 bytes inside a block of size 24 free'd
+==2809==    at 0x4C2ACDD: free (vg_replace_malloc.c:530)
+==2809==    by 0xFD92BCD: g_free (gmem.c:189)
+==2809==    by 0xFDAA518: g_slice_free1 (gslice.c:1136)
+==2809==    by 0xFD89463: g_list_remove (glist.c:521)
+==2809==    by 0x18FCF000: remove_events (bridge.c:759)
+==2809==    by 0x18FCF000: handle_event_listener_deregistered (bridge.c:788)
+==2809==    by 0x18FCF000: signal_filter (bridge.c:827)
+==2809==    by 0x200ECDFD: dbus_connection_dispatch (dbus-connection.c:4631)
+==2809==    by 0x1FEBD0F4: ??? (in /usr/lib64/libatspi.so.0.0.1)
+==2809==    by 0xFD8D4C8: g_main_dispatch (gmain.c:3201)
+==2809==    by 0xFD8D4C8: g_main_context_dispatch (gmain.c:3854)
+==2809==    by 0xFD8D817: g_main_context_iterate.isra.21 (gmain.c:3927)
+==2809==    by 0xFD8DAE9: g_main_loop_run (gmain.c:4123)
+==2809==    by 0xDFF84B4: gtk_main (in /usr/lib64/libgtk-3.so.0.2200.10)
+==2809==    by 0x403DE0: main (in /usr/bin/evolution)
+==2809==  Block was alloc'd at
+==2809==    at 0x4C29BE3: malloc (vg_replace_malloc.c:299)
+==2809==    by 0xFD92ABD: g_malloc (gmem.c:94)
+==2809==    by 0xFDA9EFD: g_slice_alloc (gslice.c:1025)
+==2809==    by 0xFD89983: g_list_append (glist.c:261)
+==2809==    by 0x18FCE7EE: add_event (bridge.c:80)
+==2809==    by 0x18FCE7EE: add_event_from_iter (bridge.c:217)
+==2809==    by 0x18FCEEF6: handle_event_listener_registered (bridge.c:721)
+==2809==    by 0x18FCEEF6: signal_filter (bridge.c:825)
+==2809==    by 0x200ECDFD: dbus_connection_dispatch (dbus-connection.c:4631)
+==2809==    by 0x1FEBD0F4: ??? (in /usr/lib64/libatspi.so.0.0.1)
+==2809==    by 0xFD8D4C8: g_main_dispatch (gmain.c:3201)
+==2809==    by 0xFD8D4C8: g_main_context_dispatch (gmain.c:3854)
+==2809==    by 0xFD8D817: g_main_context_iterate.isra.21 (gmain.c:3927)
+==2809==    by 0xFD8DAE9: g_main_loop_run (gmain.c:4123)
+==2809==    by 0xDFF84B4: gtk_main (in /usr/lib64/libgtk-3.so.0.2200.10)
+
+This line:
+
+list->prev = g_list_remove (list->prev, evdata);
+
+writes over free'd memory since the list link pointed to by the 'list'
+pointer is free'd by g_list_remove(). We can use g_list_delete_link()
+instead to achieve the intended result (and not re-iterate the whole
+list) with less code overall.
+
+Thanks to Milan Crha <mcrha@redhat.com> for investigating and
+providing the valgring log.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=781658
+---
+ atk-adaptor/bridge.c | 17 ++++++-----------
+ 1 file changed, 6 insertions(+), 11 deletions(-)
+
+diff --git a/atk-adaptor/bridge.c b/atk-adaptor/bridge.c
+index 7de84d4..0b2b736 100644
+--- a/atk-adaptor/bridge.c
++++ b/atk-adaptor/bridge.c
+@@ -748,22 +748,17 @@ remove_events (const char *bus_name, const char *event)
+       if (!g_strcmp0 (evdata->bus_name, bus_name) &&
+           spi_event_is_subtype (evdata->data, remove_data))
+         {
++          GList *next;
+           GList *events = spi_global_app_data->events;
++
+           g_strfreev (evdata->data);
+           g_free (evdata->bus_name);
+           g_slist_free_full (evdata->properties, free_property_definition);
+           g_free (evdata);
+-          if (list->prev)
+-            {
+-              GList *next = list->next;
+-              list->prev = g_list_remove (list->prev, evdata);
+-              list = next;
+-            }
+-          else
+-            {
+-              spi_global_app_data->events = g_list_remove (events, evdata);
+-              list = spi_global_app_data->events;
+-            }
++
++          next = list->next;
++          spi_global_app_data->events = g_list_delete_link (events, list);
++          list = next;
+         }
+       else
+         {
+-- 
+2.9.3
+
diff --git a/SPECS/at-spi2-atk.spec b/SPECS/at-spi2-atk.spec
index 89471d8..88ee282 100644
--- a/SPECS/at-spi2-atk.spec
+++ b/SPECS/at-spi2-atk.spec
@@ -1,16 +1,17 @@
-%global atk_version 2.11.90
-%global at_spi2_core_version 2.11.2
+%global atk_version 2.15.4
+%global at_spi2_core_version 2.17.90
 
 Name:           at-spi2-atk
-Version:        2.14.1
-Release:        1%{?dist}
+Version:        2.22.0
+Release:        2%{?dist}
 Summary:        A GTK+ module that bridges ATK to D-Bus at-spi
 
-Group:          System Environment/Libraries
 License:        LGPLv2+
-URL:            http://www.linuxfoundation.org/en/AT-SPI_on_D-Bus
-#VCS: git:git://git.gnome.org/at-spi-atk
-Source0:        http://download.gnome.org/sources/at-spi2-atk/2.14/%{name}-%{version}.tar.xz
+URL:            https://wiki.linuxfoundation.org/en/AT-SPI_on_D-Bus
+Source0:        https://download.gnome.org/sources/at-spi2-atk/2.22/%{name}-%{version}.tar.xz
+
+Patch0:         0001-atk-adaptor-bridge-Fix-GList-handling-resulting-in-m.patch
+Patch1:         0001-Fix-use-after-free-when-returned-objects-hold-only-o.patch
 
 BuildRequires:  atk-devel >= %{atk_version}
 BuildRequires:  at-spi2-core-devel >= %{at_spi2_core_version}
@@ -46,6 +47,8 @@ The %{name}-devel package includes the header files for the %{name} library.
 
 %prep
 %setup -q
+%patch0 -p1
+%patch1 -p1
 
 %build
 %configure
@@ -56,7 +59,7 @@ make %{?_smp_mflags}
 
 
 %install
-make install DESTDIR=$RPM_BUILD_ROOT
+%make_install
 
 rm $RPM_BUILD_ROOT%{_libdir}/gtk-2.0/modules/libatk-bridge.la
 rm $RPM_BUILD_ROOT%{_libdir}/libatk-bridge-2.0.la
@@ -65,7 +68,8 @@ rm $RPM_BUILD_ROOT%{_libdir}/libatk-bridge-2.0.la
 %postun -p /sbin/ldconfig
 
 %files
-%doc COPYING AUTHORS README
+%doc AUTHORS README
+%license COPYING
 %dir %{_libdir}/gtk-2.0
 %dir %{_libdir}/gtk-2.0/modules
 %{_libdir}/gtk-2.0/modules/libatk-bridge.so
@@ -79,6 +83,14 @@ rm $RPM_BUILD_ROOT%{_libdir}/libatk-bridge-2.0.la
 
 
 %changelog
+* Mon Apr 24 2017 Rui Matos <rmatos@redhat.com> - 2.22.0-2
+- Add patch to fix a memory corruption issue
+  Resolves: #1444490
+
+* Mon Sep 26 2016 Kalev Lember <klember@redhat.com> - 2.22.0-1
+- Update to 2.22.0
+- Resolves: #1386813
+
 * Mon Oct 13 2014 Kalev Lember <kalevlember@gmail.com> - 2.14.1-1
 - Update to 2.14.1