diff --git a/SOURCES/fusermount-don-t-feed-escaped-commas-into-mount-opti.patch b/SOURCES/fusermount-don-t-feed-escaped-commas-into-mount-opti.patch
new file mode 100644
index 0000000..fb6934f
--- /dev/null
+++ b/SOURCES/fusermount-don-t-feed-escaped-commas-into-mount-opti.patch
@@ -0,0 +1,47 @@
+From 520f09be3c2d351722c33daf7389d6ac4716be98 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Fri, 13 Jul 2018 15:15:36 -0700
+Subject: [PATCH] fusermount: don't feed "escaped commas" into mount options
+
+The old code permits the following behavior:
+
+$ _FUSE_COMMFD=10000 priv_strace -etrace=mount -s200 fusermount -o 'foobar=\,allow_other' mount
+mount("/dev/fuse", ".", "fuse", MS_NOSUID|MS_NODEV, "foobar=\\,allow_other,fd=3,rootmode=40000,user_id=1000,group_id=1000") = -1 EINVAL (Invalid argument)
+
+However, backslashes do not have any special meaning for the kernel here.
+
+As it happens, you can't abuse this because there is no FUSE mount option
+that takes a string value that can contain backslashes; but this is very
+brittle. Don't interpret "escape characters" in places where they don't
+work.
+---
+ util/fusermount.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/util/fusermount.c b/util/fusermount.c
+index 26a0b75bbecb..5175c0115a05 100644
+--- a/util/fusermount.c
++++ b/util/fusermount.c
+@@ -29,6 +29,7 @@
+ #include <sys/socket.h>
+ #include <sys/utsname.h>
+ #include <sched.h>
++#include <stdbool.h>
+ 
+ #define FUSE_COMMFD_ENV		"_FUSE_COMMFD"
+ 
+@@ -739,8 +740,10 @@ static int do_mount(const char *mnt, char **typep, mode_t rootmode,
+ 		unsigned len;
+ 		const char *fsname_str = "fsname=";
+ 		const char *subtype_str = "subtype=";
++		bool escape_ok = begins_with(s, fsname_str) ||
++				 begins_with(s, subtype_str);
+ 		for (len = 0; s[len]; len++) {
+-			if (s[len] == '\\' && s[len + 1])
++			if (escape_ok && s[len] == '\\' && s[len + 1])
+ 				len++;
+ 			else if (s[len] == ',')
+ 				break;
+-- 
+2.14.3
+
diff --git a/SPECS/fuse.spec b/SPECS/fuse.spec
index 423b455..5ab3a0d 100644
--- a/SPECS/fuse.spec
+++ b/SPECS/fuse.spec
@@ -1,6 +1,6 @@
 Name:           fuse
 Version:        2.9.2
-Release:        10%{?dist}
+Release:        11%{?dist}
 Summary:        File System in Userspace (FUSE) utilities
 
 Group:          System Environment/Base
@@ -13,6 +13,7 @@ Patch1:		fuse-0001-More-parentheses.patch
 Patch2:		fuse-aarch64.patch
 Patch3:		buffer_size.patch
 Patch4:		libfuse-fix-crash-in-unlock_path.patch
+Patch5: 	fusermount-don-t-feed-escaped-commas-into-mount-opti.patch
 
 Requires:       which
 Conflicts:      filesystem < 3
@@ -58,6 +59,7 @@ sed -i 's|mknod|echo Disabled: mknod |g' util/Makefile.in
 %patch2 -p1 -b .aarch64
 %patch3 -p1 -b .buffer_size
 %patch4 -p1 -b .unlock_path_crash
+%patch5 -p1 -b .escaped_commas
 
 %build
 # Can't pass --disable-static here, or else the utils don't build
@@ -109,6 +111,9 @@ rm -f %{buildroot}%{_sysconfdir}/udev/rules.d/99-fuse.rules
 %{_includedir}/fuse
 
 %changelog
+* Tue Jul 24 2018 Miklos Szeredi <mszeredi@redhat.com> - 2.9.2-11
+- Fixed CVE-2018-10906 (rhbz#1605159)
+
 * Fri Jan 05 2018 Miklos Szeredi <mszeredi@redhat.com> - 2.9.2-10
 - Fix crash in unlock_path() (rhbz#1527008)