diff --git a/SOURCES/file-5.11-CVE-2018-10360.patch b/SOURCES/file-5.11-CVE-2018-10360.patch
new file mode 100644
index 0000000..0b7aeba
--- /dev/null
+++ b/SOURCES/file-5.11-CVE-2018-10360.patch
@@ -0,0 +1,28 @@
+From 8616080aecf07436e80a27f68c336382c1d1c22d Mon Sep 17 00:00:00 2001
+From: Christos Zoulas <christos@zoulas.com>
+Date: Sat, 9 Jun 2018 16:00:06 +0000
+Subject: [PATCH] Avoid reading past the end of buffer (Rui Reis)
+
+Upstream-commit: a642587a9c9e2dd7feacdf513c3643ce26ad3c22
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ src/readelf.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/readelf.c b/src/readelf.c
+index 3df0836..d96a538 100644
+--- a/src/readelf.c
++++ b/src/readelf.c
+@@ -966,7 +966,8 @@ core:
+ 
+ 				cname = (unsigned char *)
+ 				    &nbuf[doff + prpsoffsets(i)];
+-				for (cp = cname; *cp && isprint(*cp); cp++)
++				for (cp = cname; cp < nbuf + size && *cp
++				    && isprint(*cp); cp++)
+ 					continue;
+ 				/*
+ 				 * Linux apparently appends a space at the end
+-- 
+2.14.4
+
diff --git a/SPECS/file.spec b/SPECS/file.spec
index f24bf82..a280f2b 100644
--- a/SPECS/file.spec
+++ b/SPECS/file.spec
@@ -5,7 +5,7 @@
 Summary: A utility for determining file types
 Name: file
 Version: 5.11
-Release: 35%{?dist}
+Release: 36%{?dist}
 License: BSD
 Group: Applications/File
 Source0: ftp://ftp.astron.com/pub/file/file-%{version}.tar.gz
@@ -72,6 +72,9 @@ Patch60: file-5.11-gzip-strength.patch
 # fix #1562135 - do not classify groovy script as python code
 Patch61: file-5.11-python-comment.patch
 
+# fix out-of-bounds read via a crafted ELF file (CVE-2018-10360)
+Patch62: file-5.11-CVE-2018-10360.patch
+
 URL: http://www.darwinsys.com/file/
 Requires: file-libs = %{version}-%{release}
 BuildRequires: zlib-devel
@@ -179,6 +182,7 @@ file(1) command.
 %patch59 -p1
 %patch60 -p1
 %patch61 -p1
+%patch62 -p1
 
 # Patches can generate *.orig files, which can't stay in the magic dir,
 # otherwise there will be problems when compiling magic file!
@@ -258,6 +262,9 @@ cd python
 %endif
 
 %changelog
+* Tue Aug 06 2019 Kamil Dudka <kdudka@redhat.com> - 5.11-36
+- fix out-of-bounds read via a crafted ELF file (CVE-2018-10360)
+
 * Wed Jun 06 2018 Kamil Dudka <kdudka@redhat.com> 5.11-35
 - fix #1562135 - do not classify groovy script as python code