diff --git a/SOURCES/kvm-slirp-Correct-size-check-in-m_inc.patch b/SOURCES/kvm-slirp-Correct-size-check-in-m_inc.patch
new file mode 100644
index 0000000..c861af2
--- /dev/null
+++ b/SOURCES/kvm-slirp-Correct-size-check-in-m_inc.patch
@@ -0,0 +1,66 @@
+From ebad012fad51bd72c0618face6188086ee9c2be4 Mon Sep 17 00:00:00 2001
+From: Xiao Wang <jasowang@redhat.com>
+Date: Wed, 8 Aug 2018 06:01:52 +0200
+Subject: [PATCH 3/3] slirp: Correct size check in m_inc()
+
+RH-Author: Xiao Wang <jasowang@redhat.com>
+Message-id: <1533708112-14286-4-git-send-email-jasowang@redhat.com>
+Patchwork-id: 81672
+O-Subject: [RHEL-7.5.z qemu-kvm-ma PATCH V2 3/3] slirp: Correct size check in m_inc()
+Bugzilla: 1586247
+RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+RH-Acked-by: wexu@redhat.com
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+
+From: Peter Maydell <peter.maydell@linaro.org>
+
+The data in an mbuf buffer is not necessarily at the start of the
+allocated buffer. (For instance m_adj() allows data to be trimmed
+from the start by just advancing the pointer and reducing the length.)
+This means that the allocated buffer size (m->m_size) and the
+amount of space from the m_data pointer to the end of the
+buffer (M_ROOM(m)) are not necessarily the same.
+
+Commit 864036e251f54c9 tried to change the m_inc() function from
+taking the new allocated-buffer-size to taking the new room-size,
+but forgot to change the initial "do we already have enough space"
+check. This meant that if we were trying to extend a buffer which
+had a leading gap between the buffer start and the data, we might
+incorrectly decide it didn't need to be extended, and then
+overrun the end of the buffer, causing memory corruption and
+an eventual crash.
+
+Change the "already big enough?" condition from checking the
+argument against m->m_size to checking against M_ROOM().
+This only makes a difference for the callsite in m_cat();
+the other three callsites all start with a freshly allocated
+mbuf from m_get(), which will have m->m_size == M_ROOM(m).
+
+Fixes: 864036e251f54c9
+Fixes: https://bugs.launchpad.net/qemu/+bug/1785670
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
+Message-id: 20180807114501.12370-1-peter.maydell@linaro.org
+Tested-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+(cherry picked from commit 09b94ac0f29db3b022a77a5aa50dc9e37032689d)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ slirp/mbuf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/slirp/mbuf.c b/slirp/mbuf.c
+index 0c189e1..1b78683 100644
+--- a/slirp/mbuf.c
++++ b/slirp/mbuf.c
+@@ -154,7 +154,7 @@ m_inc(struct mbuf *m, int size)
+     int datasize;
+ 
+     /* some compilers throw up on gotos.  This one we can fake. */
+-    if (m->m_size > size) {
++    if (M_ROOM(m) > size) {
+         return;
+     }
+ 
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-slirp-correct-size-computation-while-concatenating-m.patch b/SOURCES/kvm-slirp-correct-size-computation-while-concatenating-m.patch
new file mode 100644
index 0000000..795b7ef
--- /dev/null
+++ b/SOURCES/kvm-slirp-correct-size-computation-while-concatenating-m.patch
@@ -0,0 +1,113 @@
+From 8b8438b164750b1e864b8093e0b83b76365b7246 Mon Sep 17 00:00:00 2001
+From: Xiao Wang <jasowang@redhat.com>
+Date: Wed, 8 Aug 2018 06:01:50 +0200
+Subject: [PATCH 1/3] slirp: correct size computation while concatenating mbuf
+
+RH-Author: Xiao Wang <jasowang@redhat.com>
+Message-id: <1533708112-14286-2-git-send-email-jasowang@redhat.com>
+Patchwork-id: 81669
+O-Subject: [RHEL-7.5.z qemu-kvm-ma PATCH V2 1/3] slirp: correct size computation while concatenating mbuf
+Bugzilla: 1586247
+RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+RH-Acked-by: wexu@redhat.com
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+
+From: Prasad J Pandit <pjp@fedoraproject.org>
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1586247
+Brew Build: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=17635033
+Test status: Tested by myself
+
+While reassembling incoming fragmented datagrams, 'm_cat' routine
+extends the 'mbuf' buffer, if it has insufficient room. It computes
+a wrong buffer size, which leads to overwriting adjacent heap buffer
+area. Correct this size computation in m_cat.
+
+Reported-by: ZDI Disclosures <zdi-disclosures@trendmicro.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
+(cherry picked from commit 864036e251f54c99d31df124aad7f34f01f5344c)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ slirp/mbuf.c | 11 +++++------
+ slirp/mbuf.h |  8 +++-----
+ 2 files changed, 8 insertions(+), 11 deletions(-)
+
+diff --git a/slirp/mbuf.c b/slirp/mbuf.c
+index 5ff2455..18cbf75 100644
+--- a/slirp/mbuf.c
++++ b/slirp/mbuf.c
+@@ -138,7 +138,7 @@ m_cat(struct mbuf *m, struct mbuf *n)
+ 	 * If there's no room, realloc
+ 	 */
+ 	if (M_FREEROOM(m) < n->m_len)
+-		m_inc(m,m->m_size+MINCSIZE);
++		m_inc(m, m->m_len + n->m_len);
+ 
+ 	memcpy(m->m_data+m->m_len, n->m_data, n->m_len);
+ 	m->m_len += n->m_len;
+@@ -147,7 +147,7 @@ m_cat(struct mbuf *m, struct mbuf *n)
+ }
+ 
+ 
+-/* make m size bytes large */
++/* make m 'size' bytes large from m_data */
+ void
+ m_inc(struct mbuf *m, int size)
+ {
+@@ -158,12 +158,12 @@ m_inc(struct mbuf *m, int size)
+ 
+         if (m->m_flags & M_EXT) {
+ 	  datasize = m->m_data - m->m_ext;
+-          m->m_ext = g_realloc(m->m_ext, size);
++	  m->m_ext = g_realloc(m->m_ext, size + datasize);
+ 	  m->m_data = m->m_ext + datasize;
+         } else {
+ 	  char *dat;
+ 	  datasize = m->m_data - m->m_dat;
+-          dat = g_malloc(size);
++	  dat = g_malloc(size + datasize);
+ 	  memcpy(dat, m->m_dat, m->m_size);
+ 
+ 	  m->m_ext = dat;
+@@ -171,8 +171,7 @@ m_inc(struct mbuf *m, int size)
+ 	  m->m_flags |= M_EXT;
+         }
+ 
+-        m->m_size = size;
+-
++        m->m_size = size + datasize;
+ }
+ 
+ 
+diff --git a/slirp/mbuf.h b/slirp/mbuf.h
+index 893601f..33b8448 100644
+--- a/slirp/mbuf.h
++++ b/slirp/mbuf.h
+@@ -33,8 +33,6 @@
+ #ifndef MBUF_H
+ #define MBUF_H
+ 
+-#define MINCSIZE 4096	/* Amount to increase mbuf if too small */
+-
+ /*
+  * Macros for type conversion
+  * mtod(m,t) -	convert mbuf pointer to data pointer of correct type
+@@ -72,11 +70,11 @@ struct mbuf {
+ 	struct	mbuf *m_prevpkt;	/* Flags aren't used in the output queue */
+ 	int	m_flags;		/* Misc flags */
+ 
+-	int	m_size;			/* Size of data */
++	int	m_size;			/* Size of mbuf, from m_dat or m_ext */
+ 	struct	socket *m_so;
+ 
+-	caddr_t	m_data;			/* Location of data */
+-	int	m_len;			/* Amount of data in this mbuf */
++	caddr_t	m_data;			/* Current location of data */
++	int	m_len;			/* Amount of data in this mbuf, from m_data */
+ 
+ 	Slirp *slirp;
+ 	bool	resolution_requested;
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-slirp-reformat-m_inc-routine.patch b/SOURCES/kvm-slirp-reformat-m_inc-routine.patch
new file mode 100644
index 0000000..d70ae47
--- /dev/null
+++ b/SOURCES/kvm-slirp-reformat-m_inc-routine.patch
@@ -0,0 +1,78 @@
+From c97c19773140b2f9941ecd2c4bd390e6c011d730 Mon Sep 17 00:00:00 2001
+From: Xiao Wang <jasowang@redhat.com>
+Date: Wed, 8 Aug 2018 06:01:51 +0200
+Subject: [PATCH 2/3] slirp: reformat m_inc routine
+
+RH-Author: Xiao Wang <jasowang@redhat.com>
+Message-id: <1533708112-14286-3-git-send-email-jasowang@redhat.com>
+Patchwork-id: 81671
+O-Subject: [RHEL-7.5.z qemu-kvm-ma PATCH V2 2/3] slirp: reformat m_inc routine
+Bugzilla: 1586247
+RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+RH-Acked-by: wexu@redhat.com
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+
+From: Prasad J Pandit <pjp@fedoraproject.org>
+
+Coding style changes to the m_inc routine and minor refactoring.
+
+Reported-by: ZDI Disclosures <zdi-disclosures@trendmicro.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
+(cherry picked from commit c22098c74a09164797fae6511c5eaf68f32c4dd8)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ slirp/mbuf.c | 34 ++++++++++++++++------------------
+ 1 file changed, 16 insertions(+), 18 deletions(-)
+
+diff --git a/slirp/mbuf.c b/slirp/mbuf.c
+index 18cbf75..0c189e1 100644
+--- a/slirp/mbuf.c
++++ b/slirp/mbuf.c
+@@ -151,27 +151,25 @@ m_cat(struct mbuf *m, struct mbuf *n)
+ void
+ m_inc(struct mbuf *m, int size)
+ {
+-	int datasize;
++    int datasize;
+ 
+-	/* some compiles throw up on gotos.  This one we can fake. */
+-        if(m->m_size>size) return;
++    /* some compilers throw up on gotos.  This one we can fake. */
++    if (m->m_size > size) {
++        return;
++    }
+ 
+-        if (m->m_flags & M_EXT) {
+-	  datasize = m->m_data - m->m_ext;
+-	  m->m_ext = g_realloc(m->m_ext, size + datasize);
+-	  m->m_data = m->m_ext + datasize;
+-        } else {
+-	  char *dat;
+-	  datasize = m->m_data - m->m_dat;
+-	  dat = g_malloc(size + datasize);
+-	  memcpy(dat, m->m_dat, m->m_size);
+-
+-	  m->m_ext = dat;
+-	  m->m_data = m->m_ext + datasize;
+-	  m->m_flags |= M_EXT;
+-        }
++    if (m->m_flags & M_EXT) {
++        datasize = m->m_data - m->m_ext;
++        m->m_ext = g_realloc(m->m_ext, size + datasize);
++    } else {
++        datasize = m->m_data - m->m_dat;
++        m->m_ext = g_malloc(size + datasize);
++        memcpy(m->m_ext, m->m_dat, m->m_size);
++        m->m_flags |= M_EXT;
++    }
+ 
+-        m->m_size = size + datasize;
++    m->m_data = m->m_ext + datasize;
++    m->m_size = size + datasize;
+ }
+ 
+ 
+-- 
+1.8.3.1
+
diff --git a/SPECS/qemu-kvm.spec b/SPECS/qemu-kvm.spec
index 98eb28e..6825e64 100644
--- a/SPECS/qemu-kvm.spec
+++ b/SPECS/qemu-kvm.spec
@@ -106,7 +106,7 @@ Obsoletes: %1%{rhel_ma_suffix} < %{obsoletes_version2}                 \
 Summary: QEMU is a machine emulator and virtualizer
 Name: %{pkgname}%{?pkgsuffix}
 Version: 2.10.0
-Release: 21%{?dist}.3
+Release: 21%{?dist}.4
 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
 Epoch: 10
 License: GPLv2+ and LGPLv2+ and BSD
@@ -1063,6 +1063,12 @@ Patch453: kvm-scsi-disk-allow-customizing-the-SCSI-version.patch
 Patch454: kvm-hw-scsi-support-SCSI-2-passthrough-without-PI.patch
 # For bz#1596553 - RHEL-Alt-7.5 - qemu has error during migration of larger guests [rhel-7.5.z]
 Patch455: kvm-s390x-fix-storage-attributes-migration-for-non-small.patch
+# For bz#1586247 - CVE-2018-11806 qemu-kvm-ma: QEMU: slirp: heap buffer overflow while reassembling fragmented datagrams [rhel-7.5.z]
+Patch456: kvm-slirp-correct-size-computation-while-concatenating-m.patch
+# For bz#1586247 - CVE-2018-11806 qemu-kvm-ma: QEMU: slirp: heap buffer overflow while reassembling fragmented datagrams [rhel-7.5.z]
+Patch457: kvm-slirp-reformat-m_inc-routine.patch
+# For bz#1586247 - CVE-2018-11806 qemu-kvm-ma: QEMU: slirp: heap buffer overflow while reassembling fragmented datagrams [rhel-7.5.z]
+Patch458: kvm-slirp-Correct-size-check-in-m_inc.patch
 
 BuildRequires: zlib-devel
 BuildRequires: glib2-devel
@@ -1695,6 +1701,9 @@ cp %{SOURCE29} pc-bios
 %patch453 -p1
 %patch454 -p1
 %patch455 -p1
+%patch456 -p1
+%patch457 -p1
+%patch458 -p1
 
 # for tscdeadline_latency.flat
 %ifarch x86_64
@@ -2193,6 +2202,13 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
 %endif
 
 %changelog
+* Tue Aug 21 2018 Miroslav Rezanina <mrezanin@redhat.com> - ma-2.10.0-21.el7_5.4
+- kvm-slirp-correct-size-computation-while-concatenating-m.patch [bz#1586247]
+- kvm-slirp-reformat-m_inc-routine.patch [bz#1586247]
+- kvm-slirp-Correct-size-check-in-m_inc.patch [bz#1586247]
+- Resolves: bz#1586247
+  (CVE-2018-11806 qemu-kvm-ma: QEMU: slirp: heap buffer overflow while reassembling fragmented datagrams [rhel-7.5.z])
+
 * Mon Jul 02 2018 Miroslav Rezanina <mrezanin@redhat.com> - ma-2.10.0-21.el7_5.3
 - kvm-scsi-disk-allow-customizing-the-SCSI-version.patch [bz#1593193]
 - kvm-hw-scsi-support-SCSI-2-passthrough-without-PI.patch [bz#1593193]