diff --git a/SOURCES/CVE-2022-1966.patch b/SOURCES/CVE-2022-1966.patch
new file mode 100644
index 0000000..6e0a25a
--- /dev/null
+++ b/SOURCES/CVE-2022-1966.patch
@@ -0,0 +1,176 @@
+From bdeb7f1c4651240043b0b8a2a5432fc9760cfadf Mon Sep 17 00:00:00 2001
+From: Joe Lawrence <joe.lawrence@redhat.com>
+Date: Wed, 15 Jun 2022 16:10:31 -0400
+Subject: [KPATCH CVE-2022-1966] kpatch fixes for CVE-2022-1966
+
+Kernels:
+3.10.0-1160.36.2.el7
+3.10.0-1160.41.1.el7
+3.10.0-1160.42.2.el7
+3.10.0-1160.45.1.el7
+3.10.0-1160.49.1.el7
+3.10.0-1160.53.1.el7
+3.10.0-1160.59.1.el7
+3.10.0-1160.62.1.el7
+3.10.0-1160.66.1.el7
+
+Changes since last build:
+arches: x86_64 ppc64le
+nf_tables_api.o: changed function: nft_expr_init
+nft_dynset.o: changed function: nft_dynset_init
+---------------------------
+
+Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-7/-/merge_requests/42
+Approved-by: Yannick Cote (@ycote1)
+Modifications: none
+
+commit c511e60bebd0546f8ec47a3c1691ab01d262b8e4
+Author: Phil Sutter <psutter@redhat.com>
+Date:   Fri Jun 3 16:54:42 2022 +0200
+
+    netfilter: nf_tables: fix memory leak if expr init fails
+
+    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2093000
+    Upstream Status: commit 6cafaf4764a32
+
+    commit 6cafaf4764a32597c2195aa5411b87728e1fde8a
+    Author: Liping Zhang <liping.zhang@spreadtrum.com>
+    Date:   Mon Jun 20 21:11:45 2016 +0800
+
+        netfilter: nf_tables: fix memory leak if expr init fails
+
+        If expr init fails then we need to free it.
+
+        So when the user add a nft rule as follows:
+
+          # nft add rule filter input tcp dport 22 flow table ssh \
+            { ip saddr limit rate 0/second }
+
+        memory leak will happen.
+
+        Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
+        Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+    Signed-off-by: Phil Sutter <psutter@redhat.com>
+
+commit 4a4cc18bcf8f43c93dbf39cb52308dfaea4ec346
+Author: Phil Sutter <psutter@redhat.com>
+Date:   Fri Jun 3 16:54:43 2022 +0200
+
+    netfilter: nf_tables: disallow non-stateful expression in sets earlier
+
+    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2093000
+    Upstream Status: net.git commit 520778042ccca
+    CVE: CVE-2022-1966
+    Conflicts:
+     * RHEL7 does not have nft_set_elem_expr_alloc(), remove
+       NFT_EXPR_STATEFUL check from nft_dynset_init() instead
+     * Context change in nft_expr_init() as RHEL7 does not have .release_ops
+     * Adjusted new NFT_EXPR_STATEFUL check as upstream renamed 'info' into
+       'expr_info'
+
+    commit 520778042ccca019f3ffa136dd0ca565c486cedd
+    Author: Pablo Neira Ayuso <pablo@netfilter.org>
+    Date:   Wed May 25 10:36:38 2022 +0200
+
+        netfilter: nf_tables: disallow non-stateful expression in sets earlier
+
+        Since 3e135cd499bf ("netfilter: nft_dynset: dynamic stateful expression
+        instantiation"), it is possible to attach stateful expressions to set
+        elements.
+
+        cd5125d8f518 ("netfilter: nf_tables: split set destruction in deactivate
+        and destroy phase") introduces conditional destruction on the object to
+        accomodate transaction semantics.
+
+        nft_expr_init() calls expr->ops->init() first, then check for
+        NFT_STATEFUL_EXPR, this stills allows to initialize a non-stateful
+        lookup expressions which points to a set, which might lead to UAF since
+        the set is not properly detached from the set->binding for this case.
+        Anyway, this combination is non-sense from nf_tables perspective.
+
+        This patch fixes this problem by checking for NFT_STATEFUL_EXPR before
+        expr->ops->init() is called.
+
+        The reporter provides a KASAN splat and a poc reproducer (similar to
+        those autogenerated by syzbot to report use-after-free errors). It is
+        unknown to me if they are using syzbot or if they use similar automated
+        tool to locate the bug that they are reporting.
+
+        For the record, this is the KASAN splat.
+
+        [   85.431824] ==================================================================
+        [   85.432901] BUG: KASAN: use-after-free in nf_tables_bind_set+0x81b/0xa20
+        [   85.433825] Write of size 8 at addr ffff8880286f0e98 by task poc/776
+        [   85.434756]
+        [   85.434999] CPU: 1 PID: 776 Comm: poc Tainted: G        W         5.18.0+ #2
+        [   85.436023] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
+
+        Fixes: 0b2d8a7b638b ("netfilter: nf_tables: add helper functions for expression handling")
+        Reported-and-tested-by: Aaron Adams <edg-e@nccgroup.com>
+        Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+    Signed-off-by: Phil Sutter <psutter@redhat.com>
+
+Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
+---
+ net/netfilter/nf_tables_api.c | 16 +++++++++++-----
+ net/netfilter/nft_dynset.c    |  4 ----
+ 2 files changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 0f46d90715a3..44738b987690 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -1739,21 +1739,27 @@ struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
+ 
+ 	err = nf_tables_expr_parse(ctx, nla, &info);
+ 	if (err < 0)
+-		goto err1;
++		goto err_expr_parse;
++
++	err = -EOPNOTSUPP;
++	if (!(info.ops->type->flags & NFT_EXPR_STATEFUL))
++		goto err_expr_stateful;
+ 
+ 	err = -ENOMEM;
+ 	expr = kzalloc(info.ops->size, GFP_KERNEL);
+ 	if (expr == NULL)
+-		goto err2;
++		goto err_expr_stateful;
+ 
+ 	err = nf_tables_newexpr(ctx, &info, expr);
+ 	if (err < 0)
+-		goto err2;
++		goto err_expr_new;
+ 
+ 	return expr;
+-err2:
++err_expr_new:
++	kfree(expr);
++err_expr_stateful:
+ 	module_put(info.ops->type->owner);
+-err1:
++err_expr_parse:
+ 	return ERR_PTR(err);
+ }
+ 
+diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c
+index 3f9f8e82716e..0cf187230050 100644
+--- a/net/netfilter/nft_dynset.c
++++ b/net/netfilter/nft_dynset.c
+@@ -174,10 +174,6 @@ static int nft_dynset_init(const struct nft_ctx *ctx,
+ 		priv->expr = nft_expr_init(ctx, tb[NFTA_DYNSET_EXPR]);
+ 		if (IS_ERR(priv->expr))
+ 			return PTR_ERR(priv->expr);
+-
+-		err = -EOPNOTSUPP;
+-		if (!(priv->expr->ops->type->flags & NFT_EXPR_STATEFUL))
+-			goto err1;
+ 	} else if (set->flags & NFT_SET_EVAL)
+ 		return -EINVAL;
+ 
+-- 
+2.34.3
+
+
diff --git a/SPECS/kpatch-patch.spec b/SPECS/kpatch-patch.spec
index a9a029e..9d5c4e4 100644
--- a/SPECS/kpatch-patch.spec
+++ b/SPECS/kpatch-patch.spec
@@ -6,7 +6,7 @@
 %define kernel_ver	3.10.0-1160.42.2.el7
 %define kpatch_ver	0.9.2
 %define rpm_ver		1
-%define rpm_rel		5
+%define rpm_rel		6
 
 %if !%{empty_package}
 # Patch sources below. DO NOT REMOVE THIS LINE.
@@ -43,6 +43,9 @@ Source109: CVE-2021-4083.patch
 #
 # https://bugzilla.redhat.com/2052183
 Source110: CVE-2022-0492.patch
+#
+# https://bugzilla.redhat.com/2093010
+Source111: CVE-2022-1966.patch
 # End of patch sources. DO NOT REMOVE THIS LINE.
 %endif
 
@@ -175,6 +178,9 @@ It is only a method to subscribe to the kpatch stream for kernel-%{kernel_ver}.
 %endif
 
 %changelog
+* Fri Jun 17 2022 Yannick Cote <ycote@redhat.com> [1-6.el7]
+- kernel: a use-after-free write in the netfilter subsystem can lead to privilege escalation to root [2093010] {CVE-2022-1966}
+
 * Thu May 12 2022 Joe Lawrence <joe.lawrence@redhat.com> [1-5.el7]
 - kernel: cgroups v1 release_agent feature may allow privilege escalation [2052183] {CVE-2022-0492}