diff --git a/SOURCES/0001-spec-do-not-set-inheritable-capabilities.patch b/SOURCES/0001-spec-do-not-set-inheritable-capabilities.patch
new file mode 100644
index 0000000..a873251
--- /dev/null
+++ b/SOURCES/0001-spec-do-not-set-inheritable-capabilities.patch
@@ -0,0 +1,30 @@
+From ed485db1465d67f0215c27529c57a76a1daf5135 Mon Sep 17 00:00:00 2001
+From: Giuseppe Scrivano <gscrivan@redhat.com>
+Date: Mon, 28 Feb 2022 11:05:18 +0100
+Subject: [PATCH 1/2] spec: do not set inheritable capabilities
+
+Closes: CVE-2022-27650
+
+Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
+(cherry picked from commit b847d146d496c9d7beba166fd595488e85488562)
+---
+ src/libcrun/container.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/src/libcrun/container.c b/src/libcrun/container.c
+index d3fb017..1e3f3e6 100644
+--- a/src/libcrun/container.c
++++ b/src/libcrun/container.c
+@@ -128,9 +128,6 @@ static char spec_file[] = "\
+ 				\"CAP_NET_BIND_SERVICE\"\n\
+ 			],\n\
+ 			\"inheritable\": [\n\
+-				\"CAP_AUDIT_WRITE\",\n\
+-				\"CAP_KILL\",\n\
+-				\"CAP_NET_BIND_SERVICE\"\n\
+ 			],\n\
+ 			\"permitted\": [\n\
+ 				\"CAP_AUDIT_WRITE\",\n\
+-- 
+2.35.1
+
diff --git a/SOURCES/0002-exec-cap-do-not-set-inheritable-capabilities.patch b/SOURCES/0002-exec-cap-do-not-set-inheritable-capabilities.patch
new file mode 100644
index 0000000..3d8f390
--- /dev/null
+++ b/SOURCES/0002-exec-cap-do-not-set-inheritable-capabilities.patch
@@ -0,0 +1,31 @@
+From 21cb5a8c7bcc90c42743ffd15cd11a55bf66993d Mon Sep 17 00:00:00 2001
+From: Giuseppe Scrivano <gscrivan@redhat.com>
+Date: Mon, 28 Feb 2022 11:06:50 +0100
+Subject: [PATCH 2/2] exec: --cap do not set inheritable capabilities
+
+Closes: CVE-2022-27650
+
+Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
+(cherry picked from commit 1aeeed2e4fdeffb4875c0d0b439915894594c8c6)
+---
+ src/exec.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/exec.c b/src/exec.c
+index bf6c05f..8c9862d 100644
+--- a/src/exec.c
++++ b/src/exec.c
+@@ -250,8 +250,8 @@ crun_command_exec (struct crun_global_arguments *global_args, int argc, char **a
+           capabilities->effective = exec_options.cap;
+           capabilities->effective_len = exec_options.cap_size;
+ 
+-          capabilities->inheritable = dup_array (exec_options.cap, exec_options.cap_size);
+-          capabilities->inheritable_len = exec_options.cap_size;
++          capabilities->inheritable = NULL;
++          capabilities->inheritable_len = 0;
+ 
+           capabilities->bounding = dup_array (exec_options.cap, exec_options.cap_size);
+           capabilities->bounding_len = exec_options.cap_size;
+-- 
+2.35.1
+
diff --git a/SPECS/crun.spec b/SPECS/crun.spec
index 401e677..7505ee9 100644
--- a/SPECS/crun.spec
+++ b/SPECS/crun.spec
@@ -1,9 +1,11 @@
 Summary: OCI runtime written in C
 Name: crun
 Version: 0.18
-Release: 2%{?dist}
+Release: 3%{?dist}
 Source0: https://github.com/containers/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz
 Patch0: 0001-revert-tests-build-init-always-statically.patch
+Patch1: 0001-spec-do-not-set-inheritable-capabilities.patch
+Patch2: 0002-exec-cap-do-not-set-inheritable-capabilities.patch
 License: GPLv2+
 URL: https://github.com/containers/crun
 # https://fedoraproject.org/wiki/PackagingDrafts/Go#Go_Language_Architectures
@@ -47,6 +49,10 @@ rm -rf $RPM_BUILD_ROOT/usr/lib*
 %{_mandir}/man1/*
 
 %changelog
+* Tue Apr 05 2022 Jindrich Novy <jnovy@redhat.com> - 0.18-3
+- fix CVE-2022-27650
+- Related: #2061390
+
 * Fri Feb 19 2021 Jindrich Novy <jnovy@redhat.com> - 0.18-2
 - allow to build without glibc-static (thanks to Giuseppe Scrivano)
 - Related: #1883490