diff --git a/SOURCES/Fix-KDC-null-deref-on-bad-encrypted-challenge.patch b/SOURCES/Fix-KDC-null-deref-on-bad-encrypted-challenge.patch
new file mode 100644
index 0000000..6929363
--- /dev/null
+++ b/SOURCES/Fix-KDC-null-deref-on-bad-encrypted-challenge.patch
@@ -0,0 +1,113 @@
+From 4e8579f0a41b66ed8029f21a52082e1c27ab3996 Mon Sep 17 00:00:00 2001
+From: Joseph Sutton <josephsutton@catalyst.net.nz>
+Date: Wed, 7 Jul 2021 11:47:44 +1200
+Subject: [PATCH] Fix KDC null deref on bad encrypted challenge
+
+The function ec_verify() in src/kdc/kdc_preauth_ec.c contains a check
+to avoid further processing if the armor key is NULL. However, this
+check is bypassed by a call to k5memdup0() which overwrites retval
+with 0 if the allocation succeeds. If the armor key is NULL, a call
+to krb5_c_fx_cf2_simple() will then dereference it, resulting in a
+crash. Add a check before the k5memdup0() call to avoid overwriting
+retval.
+
+CVE-2021-36222:
+
+In MIT krb5 releases 1.16 and later, an unauthenticated attacker can
+cause a null dereference in the KDC by sending a request containing a
+PA-ENCRYPTED-CHALLENGE padata element without using FAST.
+
+[ghudson@mit.edu: trimmed patch; added test case; edited commit
+message]
+
+(cherry picked from commit fc98f520caefff2e5ee9a0026fdf5109944b3562)
+
+ticket: 9007
+version_fixed: 1.18.4
+
+(cherry picked from commit c4a406095b3ea4a67ae5b8ea586cbe9abdbae76f)
+---
+ src/kdc/kdc_preauth_ec.c | 3 ++-
+ src/tests/Makefile.in | 1 +
+ src/tests/t_cve-2021-36222.py | 46 +++++++++++++++++++++++++++++++++++
+ 3 files changed, 49 insertions(+), 1 deletion(-)
+ create mode 100644 src/tests/t_cve-2021-36222.py
+
+diff --git a/src/kdc/kdc_preauth_ec.c b/src/kdc/kdc_preauth_ec.c
+index 7e636b3f9..43a9902cc 100644
+--- a/src/kdc/kdc_preauth_ec.c
++++ b/src/kdc/kdc_preauth_ec.c
+@@ -87,7 +87,8 @@ ec_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
+ }
+
+ /* Check for a configured FAST ec auth indicator. */
+- realmstr = k5memdup0(realm.data, realm.length, &retval);
++ if (retval == 0)
++ realmstr = k5memdup0(realm.data, realm.length, &retval);
+ if (realmstr != NULL)
+ retval = profile_get_string(context->profile, KRB5_CONF_REALMS,
+ realmstr,
+diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
+index 3f88f1713..0ffbebf56 100644
+--- a/src/tests/Makefile.in
++++ b/src/tests/Makefile.in
+@@ -158,6 +158,7 @@ check-pytests: unlockiter s4u2self
+ $(RUNPYTEST) $(srcdir)/t_cve-2012-1015.py $(PYTESTFLAGS)
+ $(RUNPYTEST) $(srcdir)/t_cve-2013-1416.py $(PYTESTFLAGS)
+ $(RUNPYTEST) $(srcdir)/t_cve-2013-1417.py $(PYTESTFLAGS)
++ $(RUNPYTEST) $(srcdir)/t_cve-2021-36222.py $(PYTESTFLAGS)
+ $(RM) au.log
+ $(RUNPYTEST) $(srcdir)/t_audit.py $(PYTESTFLAGS)
+ $(RUNPYTEST) $(srcdir)/jsonwalker.py -d $(srcdir)/au_dict.json \
+diff --git a/src/tests/t_cve-2021-36222.py b/src/tests/t_cve-2021-36222.py
+new file mode 100644
+index 000000000..57e04993b
+--- /dev/null
++++ b/src/tests/t_cve-2021-36222.py
+@@ -0,0 +1,46 @@
++import socket
++from k5test import *
++
++realm = K5Realm()
++
++# CVE-2021-36222 KDC null dereference on encrypted challenge preauth
++# without FAST
++
++s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
++a = (hostname, realm.portbase)
++
++m = ('6A81A0' '30819D' # [APPLICATION 10] SEQUENCE
++ 'A103' '0201' '05' # [1] pvno = 5
++ 'A203' '0201' '0A' # [2] msg-type = 10
++ 'A30E' '300C' # [3] padata = SEQUENCE OF
++ '300A' # SEQUENCE
++ 'A104' '0202' '008A' # [1] padata-type = PA-ENCRYPTED-CHALLENGE
++ 'A202' '0400' # [2] padata-value = ""
++ 'A48180' '307E' # [4] req-body = SEQUENCE
++ 'A007' '0305' '0000000000' # [0] kdc-options = 0
++ 'A120' '301E' # [1] cname = SEQUENCE
++ 'A003' '0201' '01' # [0] name-type = NT-PRINCIPAL
++ 'A117' '3015' # [1] name-string = SEQUENCE-OF
++ '1B06' '6B7262746774' # krbtgt
++ '1B0B' '4B5242544553542E434F4D'
++ # KRBTEST.COM
++ 'A20D' '1B0B' '4B5242544553542E434F4D'
++ # [2] realm = KRBTEST.COM
++ 'A320' '301E' # [3] sname = SEQUENCE
++ 'A003' '0201' '01' # [0] name-type = NT-PRINCIPAL
++ 'A117' '3015' # [1] name-string = SEQUENCE-OF
++ '1B06' '6B7262746774' # krbtgt
++ '1B0B' '4B5242544553542E434F4D'
++ # KRBTEST.COM
++ 'A511' '180F' '31393934303631303036303331375A'
++ # [5] till = 19940610060317Z
++ 'A703' '0201' '00' # [7] nonce = 0
++ 'A808' '3006' # [8] etype = SEQUENCE OF
++ '020112' '020111') # aes256-cts aes128-cts
++
++s.sendto(bytes.fromhex(m), a)
++
++# Make sure kinit still works.
++realm.kinit(realm.user_princ, password('user'))
++
++success('CVE-2021-36222 regression test')
diff --git a/SPECS/krb5.spec b/SPECS/krb5.spec
index 657d13d..8f05c8c 100644
--- a/SPECS/krb5.spec
+++ b/SPECS/krb5.spec
@@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
Name: krb5
Version: 1.18.2
# for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
-Release: 12%{?dist}
+Release: 13%{?dist}
# lookaside-cached sources; two downloads and a build artifact
Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz
@@ -84,6 +84,7 @@ Patch138: Fix-KCM-flag-transmission-for-remove_cred.patch
Patch139: Make-KCM-iteration-fallback-work-with-sssd-kcm.patch
Patch140: Use-KCM_OP_RETRIEVE-in-KCM-client.patch
Patch141: Fix-KCM-retrieval-support-for-sssd.patch
+Patch142: Fix-KDC-null-deref-on-bad-encrypted-challenge.patch
License: MIT
URL: http://web.mit.edu/kerberos/www/
@@ -694,6 +695,10 @@ exit 0
%{_libdir}/libkadm5srv_mit.so.*
%changelog
+* Tue Jul 20 2021 Robbie Harwood <rharwood@redhat.com> - 1.18.2-13
+- Fix KDC null deref on bad encrypted challenge (CVE-2021-36222)
+- Resolves: #1983729
+
* Thu Jun 10 2021 Robbie Harwood <rharwood@redhat.com> - 1.18.2-12
- Backport KCM performance enablements
- Resolves: #1956388