diff --git a/SOURCES/opencryptoki-3.17.0-unlock-globmutex-if-user-and-group-check-fail.patch b/SOURCES/opencryptoki-3.17.0-unlock-globmutex-if-user-and-group-check-fail.patch
new file mode 100644
index 0000000..dc8c70c
--- /dev/null
+++ b/SOURCES/opencryptoki-3.17.0-unlock-globmutex-if-user-and-group-check-fail.patch
@@ -0,0 +1,12 @@
+diff -up opencryptoki-3.17.0/usr/lib/api/api_interface.c.me opencryptoki-3.17.0/usr/lib/api/api_interface.c
+--- opencryptoki-3.17.0/usr/lib/api/api_interface.c.me	2022-01-17 12:04:18.937010924 +0100
++++ opencryptoki-3.17.0/usr/lib/api/api_interface.c	2022-01-17 12:04:54.020182038 +0100
+@@ -2869,7 +2869,7 @@ CK_RV C_Initialize(CK_VOID_PTR pVoid)
+ 
+     rc = check_user_and_group();
+     if (rc != CKR_OK)
+-        return rc;
++        goto done;
+ 
+     if (!Anchor) {
+         Anchor = (API_Proc_Struct_t *) malloc(sizeof(API_Proc_Struct_t));
diff --git a/SPECS/opencryptoki.spec b/SPECS/opencryptoki.spec
index 0c064ad..3747f3f 100644
--- a/SPECS/opencryptoki.spec
+++ b/SPECS/opencryptoki.spec
@@ -1,7 +1,7 @@
 Name:			opencryptoki
 Summary:		Implementation of the PKCS#11 (Cryptoki) specification v3.0
 Version:		3.17.0
-Release:		3%{?dist}
+Release:		4%{?dist}
 License:		CPL
 URL:			https://github.com/opencryptoki/opencryptoki
 Source0:		https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
@@ -14,6 +14,7 @@ Patch2:			opencryptoki-3.17.0-p11sak.patch
 # upstream patches
 # PIDfile below legacy directory /var/run/
 Patch300: opencryptoki-pkcsslotd-pidfile.patch
+Patch301: opencryptoki-3.17.0-unlock-globmutex-if-user-and-group-check-fail.patch
 
 Requires(pre):		coreutils
 Requires: 		(selinux-policy >= 34.1.8-1 if selinux-policy-targeted)
@@ -318,6 +319,9 @@ fi
 
 
 %changelog
+* Mon Jan 17 2022 Than Ngo <than@redhat.com> - 3.17.0-4
+- Resolves: #2040678, API: Unlock GlobMutex if user and group check fails
+
 * Sat Dec 04 2021 Than Ngo <than@redhat.com> - 3.17.0-3
 - Related: #2015888, added missing patch pkcsslotd-pidfile