diff --git a/SOURCES/flac-cve-2021-0561.patch b/SOURCES/flac-cve-2021-0561.patch
new file mode 100644
index 0000000..71069b1
--- /dev/null
+++ b/SOURCES/flac-cve-2021-0561.patch
@@ -0,0 +1,28 @@
+commit e1575e4a7c5157cbf4e4a16dbd39b74f7174c7be
+Author: Neelkamal Semwal <neelkamal.semwal@ittiam.com>
+Date:   Fri Dec 18 22:28:36 2020 +0530
+
+    libFlac: Exit at EOS in verify mode
+    
+    When verify mode is enabled, once decoder flags end of stream,
+    encode processing is considered complete.
+    
+    CVE-2021-0561
+    
+    Signed-off-by: Ralph Giles <giles@thaumas.net>
+
+diff --git a/src/libFLAC/stream_encoder.c b/src/libFLAC/stream_encoder.c
+index 4c91247f..7109802c 100644
+--- a/src/libFLAC/stream_encoder.c
++++ b/src/libFLAC/stream_encoder.c
+@@ -2610,7 +2610,9 @@ FLAC__bool write_bitbuffer_(FLAC__StreamEncoder *encoder, uint32_t samples, FLAC
+ 			encoder->private_->verify.needs_magic_hack = true;
+ 		}
+ 		else {
+-			if(!FLAC__stream_decoder_process_single(encoder->private_->verify.decoder)) {
++			if(!FLAC__stream_decoder_process_single(encoder->private_->verify.decoder)
++			    || (!is_last_block
++				    && (FLAC__stream_encoder_get_verify_decoder_state(encoder) == FLAC__STREAM_DECODER_END_OF_STREAM))) {
+ 				FLAC__bitwriter_release_buffer(encoder->private_->frame);
+ 				FLAC__bitwriter_clear(encoder->private_->frame);
+ 				if(encoder->protected_->state != FLAC__STREAM_ENCODER_VERIFY_MISMATCH_IN_AUDIO_DATA)
diff --git a/SPECS/flac.spec b/SPECS/flac.spec
index e2f5ef2..9aa9576 100644
--- a/SPECS/flac.spec
+++ b/SPECS/flac.spec
@@ -8,7 +8,7 @@
 Summary: An encoder/decoder for the Free Lossless Audio Codec
 Name: flac
 Version: 1.3.3
-Release: 9%{?dist}
+Release: 10%{?dist}
 License: BSD and GPLv2+ and GFDL
 Source0: https://downloads.xiph.org/releases/flac/flac-%{version}.tar.xz
 URL: https://www.xiph.org/flac/
@@ -26,6 +26,8 @@ BuildRequires: nasm >= 2.0
 BuildRequires: make
 
 Patch1: flac-cve-2020-0499.patch
+# handle end-of-stream when encoding with verification
+Patch2: flac-cve-2021-0561.patch
 
 %description
 FLAC stands for Free Lossless Audio Codec. Grossly oversimplified, FLAC
@@ -75,6 +77,7 @@ This is the input plugin for XMMS to be able to read FLAC files.
 %prep
 %setup -q
 %patch1 -p1 -b .cve-2020-0499
+%patch2 -p1 -b .cve-2021-0561
 
 %build
 # use our libtool to avoid problems with RPATH
@@ -143,6 +146,9 @@ make check
 %endif
 
 %changelog
+* Thu May 05 2022 Miroslav Lichvar <mlichvar@redhat.com> 1.3.3-10
+- handle end-of-stream when encoding with verification (CVE-2021-0561)
+
 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.3.3-9
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
   Related: rhbz#1991688