diff --git a/SOURCES/libxml2-2.9.7-CVE-2020-24977.patch b/SOURCES/libxml2-2.9.7-CVE-2020-24977.patch
new file mode 100644
index 0000000..fe4b398
--- /dev/null
+++ b/SOURCES/libxml2-2.9.7-CVE-2020-24977.patch
@@ -0,0 +1,36 @@
+From 50f06b3efb638efb0abd95dc62dca05ae67882c2 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Fri, 7 Aug 2020 21:54:27 +0200
+Subject: [PATCH] Fix out-of-bounds read with 'xmllint --htmlout'
+
+Make sure that truncated UTF-8 sequences don't cause an out-of-bounds
+array access.
+
+Thanks to @SuhwanSong and the Agency for Defense Development (ADD) for
+the report.
+
+Fixes #178.
+---
+ xmllint.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/xmllint.c b/xmllint.c
+index f6a8e4636..c647486f3 100644
+--- a/xmllint.c
++++ b/xmllint.c
+@@ -528,6 +528,12 @@ static void
+ xmlHTMLEncodeSend(void) {
+     char *result;
+ 
++    /*
++     * xmlEncodeEntitiesReentrant assumes valid UTF-8, but the buffer might
++     * end with a truncated UTF-8 sequence. This is a hack to at least avoid
++     * an out-of-bounds read.
++     */
++    memset(&buffer[sizeof(buffer)-4], 0, 4);
+     result = (char *) xmlEncodeEntitiesReentrant(NULL, BAD_CAST buffer);
+     if (result) {
+ 	xmlGenericError(xmlGenericErrorContext, "%s", result);
+-- 
+GitLab
+
diff --git a/SPECS/libxml2.spec b/SPECS/libxml2.spec
index e393c24..164a752 100644
--- a/SPECS/libxml2.spec
+++ b/SPECS/libxml2.spec
@@ -7,7 +7,7 @@
 
 Name:           libxml2
 Version:        2.9.7
-Release:        8%{?dist}
+Release:        9%{?dist}
 Summary:        Library providing XML and HTML support
 
 License:        MIT
@@ -34,6 +34,8 @@ Patch7:         libxml2-CVE-2019-19956.patch
 Patch8:         libxml2-2.9.7-CVE-2020-7595.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1810058
 Patch9:         libxml2-2.9.7-CVE-2019-20388.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1878252
+Patch10:        libxml2-2.9.7-CVE-2020-24977.patch
 
 BuildRequires:  gcc
 BuildRequires:  cmake-rpm-macros
@@ -205,6 +207,9 @@ gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz
 %{python3_sitearch}/libxml2mod.so
 
 %changelog
+* Mon Oct 19 2020 David King <dking@redhat.com> - 2.9.7-9
+- Fix CVE-2020-24977 (#1878252)
+
 * Mon Jan 20 2020 David King <dking@redhat.com> - 2.9.7-8
 - Fix CVE-2019-19956 (#1793001)
 - Fix CVE-2020-7595 (#1799786)