diff --git a/SOURCES/kvm-vga-add-ram_addr_t-cast.patch b/SOURCES/kvm-vga-add-ram_addr_t-cast.patch
new file mode 100644
index 0000000..bc09fa1
--- /dev/null
+++ b/SOURCES/kvm-vga-add-ram_addr_t-cast.patch
@@ -0,0 +1,41 @@
+From 793f93597e16bbe37da8b0e884f9f17d1790b99a Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Mon, 9 Apr 2018 13:27:35 +0200
+Subject: [PATCH 1/2] vga: add ram_addr_t cast
+
+RH-Author: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: <20180409132736.24598-2-kraxel@redhat.com>
+Patchwork-id: 79513
+O-Subject: [RHEL-7.5 qemu-kvm PATCH 1/2] vga: add ram_addr_t cast
+Bugzilla: 1567913
+RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: John Snow <jsnow@redhat.com>
+
+Reported by Coverity.
+
+Fixes: CID 1381409
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: 20171010141323.14049-4-kraxel@redhat.com
+(cherry picked from commit b0898b42ef099bc125db1fbf62b7f02b505ef3a2)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ hw/display/vga.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/display/vga.c b/hw/display/vga.c
+index 017e951..8e6c6d6 100644
+--- a/hw/display/vga.c
++++ b/hw/display/vga.c
+@@ -1534,7 +1534,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
+     disp_width = width;
+ 
+     region_start = (s->start_addr * 4);
+-    region_end = region_start + s->line_offset * height;
++    region_end = region_start + (ram_addr_t)s->line_offset * height;
+     if (region_end > s->vbe_size) {
+         /* wraps around (can happen with cirrus vbe modes) */
+         region_start = 0;
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-vga-fix-region-calculation.patch b/SOURCES/kvm-vga-fix-region-calculation.patch
new file mode 100644
index 0000000..099430e
--- /dev/null
+++ b/SOURCES/kvm-vga-fix-region-calculation.patch
@@ -0,0 +1,47 @@
+From 3ed3904f7411bd5896aebdfcc6fe202dbfc2eef6 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Mon, 9 Apr 2018 13:27:36 +0200
+Subject: [PATCH 2/2] vga: fix region calculation
+
+RH-Author: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: <20180409132736.24598-3-kraxel@redhat.com>
+Patchwork-id: 79512
+O-Subject: [RHEL-7.5 qemu-kvm PATCH 2/2] vga: fix region calculation
+Bugzilla: 1567913
+RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: John Snow <jsnow@redhat.com>
+
+Typically the scanline length and the line offset are identical.  But
+in case they are not our calculation for region_end is incorrect.  Using
+line_offset is fine for all scanlines, except the last one where we have
+to use the actual scanline length.
+
+Fixes: CVE-2018-7550
+Reported-by: Ross Lagerwall <ross.lagerwall@citrix.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
+Tested-by: Ross Lagerwall <ross.lagerwall@citrix.com>
+Message-id: 20180309143704.13420-1-kraxel@redhat.com
+(cherry picked from commit 7cdc61becd095b64a786b2625f321624e7111f3d)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ hw/display/vga.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/hw/display/vga.c b/hw/display/vga.c
+index 8e6c6d6..9270a75 100644
+--- a/hw/display/vga.c
++++ b/hw/display/vga.c
+@@ -1535,6 +1535,8 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
+ 
+     region_start = (s->start_addr * 4);
+     region_end = region_start + (ram_addr_t)s->line_offset * height;
++    region_end += width * s->get_bpp(s) / 8; /* scanline length */
++    region_end -= s->line_offset;
+     if (region_end > s->vbe_size) {
+         /* wraps around (can happen with cirrus vbe modes) */
+         region_start = 0;
+-- 
+1.8.3.1
+
diff --git a/SPECS/qemu-kvm.spec b/SPECS/qemu-kvm.spec
index 11271e0..9513bd7 100644
--- a/SPECS/qemu-kvm.spec
+++ b/SPECS/qemu-kvm.spec
@@ -76,7 +76,7 @@ Obsoletes: %1 < %{obsoletes_version}                                      \
 Summary: QEMU is a machine emulator and virtualizer
 Name: %{pkgname}%{?pkgsuffix}
 Version: 1.5.3
-Release: 156%{?dist}
+Release: 156%{?dist}.1
 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
 Epoch: 10
 License: GPLv2+ and LGPLv2+ and BSD
@@ -3865,6 +3865,10 @@ Patch1903: kvm-ui-avoid-sign-extension-using-client-width-height.patch
 Patch1904: kvm-ui-correctly-advance-output-buffer-when-writing-SASL.patch
 # For bz#1518711 - CVE-2017-15268 qemu-kvm: Qemu: I/O: potential memory exhaustion via websock connection to VNC [rhel-7.5]
 Patch1905: kvm-io-skip-updates-to-client-if-websocket-output-buffer.patch
+# For bz#1567913 - CVE-2018-7858 qemu-kvm: Qemu: cirrus: OOB access when updating vga display [rhel-7] [rhel-7.5.z]
+Patch1906: kvm-vga-add-ram_addr_t-cast.patch
+# For bz#1567913 - CVE-2018-7858 qemu-kvm: Qemu: cirrus: OOB access when updating vga display [rhel-7] [rhel-7.5.z]
+Patch1907: kvm-vga-fix-region-calculation.patch
 
 
 BuildRequires: zlib-devel
@@ -5948,6 +5952,8 @@ tar -xf %{SOURCE21}
 %patch1903 -p1
 %patch1904 -p1
 %patch1905 -p1
+%patch1906 -p1
+%patch1907 -p1
 
 %build
 buildarch="%{kvm_target}-softmmu"
@@ -6393,6 +6399,12 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || :
 %{_mandir}/man8/qemu-nbd.8*
 
 %changelog
+* Mon Apr 16 2018 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-156.el7_5.1
+- kvm-vga-add-ram_addr_t-cast.patch [bz#1567913]
+- kvm-vga-fix-region-calculation.patch [bz#1567913]
+- Resolves: bz#1567913
+  (CVE-2018-7858 qemu-kvm: Qemu: cirrus: OOB access when updating vga display [rhel-7] [rhel-7.5.z])
+
 * Tue Feb 20 2018 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-156.el7
 - kvm-vnc-Fix-qemu-crashed-when-vnc-client-disconnect-sudd.patch [bz#1527405]
 - kvm-fix-full-frame-updates-for-VNC-clients.patch [bz#1527405]