diff --git a/SOURCES/libvirt-cpu-define-the-ssbd-CPUID-feature-bit-CVE-2018-3639.patch b/SOURCES/libvirt-cpu-define-the-ssbd-CPUID-feature-bit-CVE-2018-3639.patch
new file mode 100644
index 0000000..6a5d64a
--- /dev/null
+++ b/SOURCES/libvirt-cpu-define-the-ssbd-CPUID-feature-bit-CVE-2018-3639.patch
@@ -0,0 +1,44 @@
+From ff87044456775053ad487635804d7ab49d476cf7 Mon Sep 17 00:00:00 2001
+Message-Id: <ff87044456775053ad487635804d7ab49d476cf7@dist-git>
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Thu, 10 May 2018 09:06:15 +0200
+Subject: [PATCH] cpu: define the 'ssbd' CPUID feature bit (CVE-2018-3639)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+New microcode introduces the "Speculative Store Bypass Disable"
+CPUID feature bit. This needs to be exposed to guest OS to allow
+them to protect against CVE-2018-3639.
+
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+(no upstream commit yet)
+
+Conflicts:
+	src/cpu/cpu_map.xml
+            - stibp and arch-facilities features pushed for Spectre do
+              not exist upstream
+
+Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+---
+ src/cpu/cpu_map.xml | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/cpu/cpu_map.xml b/src/cpu/cpu_map.xml
+index 4d786f1e0a..cee3541d24 100644
+--- a/src/cpu/cpu_map.xml
++++ b/src/cpu/cpu_map.xml
+@@ -301,6 +301,9 @@
+     <feature name='arch-facilities'>
+       <cpuid eax_in='0x07' ecx_in='0x00' edx='0x20000000'/>
+     </feature>
++    <feature name='ssbd'>
++      <cpuid eax_in='0x07' ecx_in='0x00' edx='0x80000000'/>
++    </feature>
+ 
+     <!-- Processor Extended State Enumeration sub leaf 1 -->
+     <feature name='xsaveopt'>
+-- 
+2.17.0
+
diff --git a/SPECS/libvirt.spec b/SPECS/libvirt.spec
index 12479c1..e2f0c77 100644
--- a/SPECS/libvirt.spec
+++ b/SPECS/libvirt.spec
@@ -240,7 +240,7 @@
 Summary: Library providing a simple virtualization API
 Name: libvirt
 Version: 3.9.0
-Release: 14%{?dist}.4%{?extra_release}
+Release: 14%{?dist}.5%{?extra_release}
 License: LGPLv2+
 Group: Development/Libraries
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
@@ -456,6 +456,7 @@ Patch202: libvirt-vmx-convert-any-amount-of-NICs.patch
 Patch203: libvirt-qemu-Use-dynamic-buffer-for-storing-PTY-aliases.patch
 Patch204: libvirt-qemu-avoid-denial-of-service-reading-from-QEMU-monitor-CVE-2018-5748.patch
 Patch205: libvirt-qemu-avoid-denial-of-service-reading-from-QEMU-guest-agent-CVE-2018-1064.patch
+Patch206: libvirt-cpu-define-the-ssbd-CPUID-feature-bit-CVE-2018-3639.patch
 
 Requires: libvirt-daemon = %{version}-%{release}
 Requires: libvirt-daemon-config-network = %{version}-%{release}
@@ -2369,6 +2370,9 @@ exit 0
 
 
 %changelog
+* Thu May 10 2018 Jiri Denemark <jdenemar@redhat.com> - 3.9.0-14.el7_5.5
+- cpu: define the 'ssbd' CPUID feature bit (CVE-2018-3639)
+
 * Fri Apr 13 2018 Jiri Denemark <jdenemar@redhat.com> - 3.9.0-14.el7_5.4
 - lxc: Drop useless check in live device update (rhbz#1557922)
 - Pass oldDev to virDomainDefCompatibleDevice on device update (rhbz#1557922)