diff --git a/SOURCES/CVE-2024-1086.patch b/SOURCES/CVE-2024-1086.patch
new file mode 100644
index 0000000..788da63
--- /dev/null
+++ b/SOURCES/CVE-2024-1086.patch
@@ -0,0 +1,110 @@
+From 0b95e025ee195fd549a77916c14af38e9b25ac16 Mon Sep 17 00:00:00 2001
+From: Ryan Sullivan <rysulliv@redhat.com>
+Date: Tue, 16 Apr 2024 13:57:40 -0400
+Subject: [KPATCH CVE-2024-1086] kpatch fixes for CVE-2024-1086
+
+Kernels:
+3.10.0-1160.102.1.el7
+3.10.0-1160.105.1.el7
+3.10.0-1160.108.1.el7
+
+
+Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-7/-/merge_requests/70
+Approved-by: Joe Lawrence (@joe.lawrence)
+Changes since last build:
+[x86_64]:
+nf_tables_api.o: changed function: nft_data_init
+
+[ppc64le]:
+nf_tables_api.o: changed function: nft_data_init
+nf_tables_api.o: changed function: nft_del_setelem
+
+---------------------------
+
+Modifications: none
+
+commit 03d2627c7d53c06b8b28f5a57eb48ddbc1829c12
+Author: Florian Westphal <fwestpha@redhat.com>
+Date:   Fri Feb 2 15:28:35 2024 +0100
+
+    netfilter: nf_tables: reject QUEUE/DROP verdict parameters
+
+    JIRA: https://issues.redhat.com/browse/RHEL-23500
+    Upstream Status: commit f342de4e2f33
+    CVE: CVE-2024-1086
+
+    commit f342de4e2f33e0e39165d8639387aa6c19dff660
+    Author: Florian Westphal <fw@strlen.de>
+    Date:   Sat Jan 20 22:50:04 2024 +0100
+
+        netfilter: nf_tables: reject QUEUE/DROP verdict parameters
+
+        This reverts commit e0abdadcc6e1.
+
+        core.c:nf_hook_slow assumes that the upper 16 bits of NF_DROP
+        verdicts contain a valid errno, i.e. -EPERM, -EHOSTUNREACH or similar,
+        or 0.
+
+        Due to the reverted commit, its possible to provide a positive
+        value, e.g. NF_ACCEPT (1), which results in use-after-free.
+
+        Its not clear to me why this commit was made.
+
+        NF_QUEUE is not used by nftables; "queue" rules in nftables
+        will result in use of "nft_queue" expression.
+
+        If we later need to allow specifiying errno values from userspace
+        (do not know why), this has to call NF_DROP_GETERR and check that
+        "err <= 0" holds true.
+
+        Fixes: e0abdadcc6e1 ("netfilter: nf_tables: accept QUEUE/DROP verdict parameters")
+        Cc: stable@vger.kernel.org
+        Reported-by: Notselwyn <notselwyn@pwning.tech>
+        Signed-off-by: Florian Westphal <fw@strlen.de>
+        Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+    Signed-off-by: Florian Westphal <fwestpha@redhat.com>
+
+Signed-off-by: Ryan Sullivan <rysulliv@redhat.com>
+---
+ net/netfilter/nf_tables_api.c | 16 ++++++----------
+ 1 file changed, 6 insertions(+), 10 deletions(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index ed8a787ac400..940f947b5fe7 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -4629,16 +4629,10 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
+ 	data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
+ 
+ 	switch (data->verdict.code) {
+-	default:
+-		switch (data->verdict.code & NF_VERDICT_MASK) {
+-		case NF_ACCEPT:
+-		case NF_DROP:
+-		case NF_QUEUE:
+-			break;
+-		default:
+-			return -EINVAL;
+-		}
+-		/* fall through */
++	case NF_ACCEPT:
++	case NF_DROP:
++	case NF_QUEUE:
++		break;
+ 	case NFT_CONTINUE:
+ 	case NFT_BREAK:
+ 	case NFT_RETURN:
+@@ -4657,6 +4651,8 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
+ 		chain->use++;
+ 		data->verdict.chain = chain;
+ 		break;
++	default:
++		return -EINVAL;
+ 	}
+ 
+ 	desc->len = sizeof(data->verdict);
+-- 
+2.45.1
+
+
diff --git a/SPECS/kpatch-patch.spec b/SPECS/kpatch-patch.spec
index 0e2feb7..040a697 100644
--- a/SPECS/kpatch-patch.spec
+++ b/SPECS/kpatch-patch.spec
@@ -6,7 +6,7 @@
 %define kernel_ver	3.10.0-1160.105.1.el7
 %define kpatch_ver	0.9.2
 %define rpm_ver		1
-%define rpm_rel		3
+%define rpm_rel		4
 
 %if !%{empty_package}
 # Patch sources below. DO NOT REMOVE THIS LINE.
@@ -28,6 +28,9 @@ Source104: CVE-2023-4622.patch
 #
 # https://issues.redhat.com/browse/RHEL-16619
 Source105: CVE-2023-4623.patch
+#
+# https://issues.redhat.com/browse/RHEL-32280
+Source106: CVE-2024-1086.patch
 # End of patch sources. DO NOT REMOVE THIS LINE.
 %endif
 
@@ -162,6 +165,9 @@ It is only a method to subscribe to the kpatch stream for kernel-%{kernel_ver}.
 %endif
 
 %changelog
+* Wed Jun 12 2024 Yannick Cote <ycote@redhat.com> [1-4.el7]
+- kernel: nf_tables: use-after-free vulnerability in the nft_verdict_init() function [RHEL-32280] {CVE-2024-1086}
+
 * Tue Apr 16 2024 Yannick Cote <ycote@redhat.com> [1-3.el7]
 - kernel: net/sched: sch_hfsc UAF [RHEL-16619] {CVE-2023-4623}
 - kernel: use after free in unix_stream_sendpage [RHEL-17942] {CVE-2023-4622}