diff --git a/SOURCES/ucs2-buffer-overrrun.patch b/SOURCES/ucs2-buffer-overrrun.patch
new file mode 100644
index 0000000..5a43576
--- /dev/null
+++ b/SOURCES/ucs2-buffer-overrrun.patch
@@ -0,0 +1,69 @@
+From 0052926476474a28747004321e37f1dd4969d250 Mon Sep 17 00:00:00 2001
+From: Rod Vagg <rod@vagg.org>
+Date: Tue, 14 Aug 2018 20:18:06 +1000
+Subject: [PATCH] buffer: avoid overrun on UCS-2 string write
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+CVE-2018-12115
+Discovered by ChALkeR - Сковорода Никита Андреевич
+Fix by Anna Henningsen
+
+Writing to the second-to-last byte with UCS-2 encoding will cause a -1
+length to be send to String::Write(), writing all of the provided Buffer
+from that point and beyond.
+
+Fixes: https://github.com/nodejs-private/security/issues/203
+PR-URL: https://github.com/nodejs-private/node-private/pull/138
+---
+ src/string_bytes.cc          |  6 +++++-
+ test/parallel/test-buffer.js | 21 +++++++++++++++++++++
+ 2 files changed, 26 insertions(+), 1 deletion(-)
+
+diff --git a/src/string_bytes.cc b/src/string_bytes.cc
+index 882ca6e3e89..b54b7a2b36c 100644
+--- a/src/string_bytes.cc
++++ b/src/string_bytes.cc
+@@ -226,7 +226,11 @@ size_t StringBytes::WriteUCS2(char* buf,
+                               size_t* chars_written) {
+   uint16_t* const dst = reinterpret_cast<uint16_t*>(buf);
+ 
+-  size_t max_chars = (buflen / sizeof(*dst));
++  size_t max_chars = buflen / sizeof(*dst);
++  if (max_chars == 0) {
++    return 0;
++  }
++
+   size_t nchars;
+   size_t alignment = reinterpret_cast<uintptr_t>(dst) % sizeof(*dst);
+   if (alignment == 0) {
+diff --git a/test/parallel/test-buffer.js b/test/parallel/test-buffer.js
+index 6b1848c48bb..36cf8373cee 100644
+--- a/test/parallel/test-buffer.js
++++ b/test/parallel/test-buffer.js
+@@ -1506,3 +1506,24 @@ assert.strictEqual(SlowBuffer.prototype.offset, undefined);
+   // Check pool offset after that by trying to write string into the pool.
+   assert.doesNotThrow(() => Buffer.from('abc'));
+ }
++
++// UCS-2 overflow CVE-2018-12115
++for (let i = 1; i < 4; i++) {
++  // Allocate two Buffers sequentially off the pool. Run more than once in case
++  // we hit the end of the pool and don't get sequential allocations
++  const x = Buffer.allocUnsafe(4).fill(0);
++  const y = Buffer.allocUnsafe(4).fill(1);
++  // Should not write anything, pos 3 doesn't have enough room for a 16-bit char
++  assert.strictEqual(x.write('ыыыыыы', 3, 'ucs2'), 0);
++  // CVE-2018-12115 experienced via buffer overrun to next block in the pool
++  assert.strictEqual(Buffer.compare(y, Buffer.alloc(4, 1)), 0);
++}
++
++// Should not write any data when there is no space for 16-bit chars
++const z = Buffer.alloc(4, 0);
++assert.strictEqual(z.write('\u0001', 3, 'ucs2'), 0);
++assert.strictEqual(Buffer.compare(z, Buffer.alloc(4, 0)), 0);
++
++// Large overrun could corrupt the process
++assert.strictEqual(Buffer.alloc(4)
++  .write('ыыыыыы'.repeat(100), 3, 'utf16le'), 0);
diff --git a/SPECS/nodejs.spec b/SPECS/nodejs.spec
index 1b5a79d..e1942b1 100644
--- a/SPECS/nodejs.spec
+++ b/SPECS/nodejs.spec
@@ -12,7 +12,7 @@
 
 Name: %{?scl_prefix}nodejs
 Version: 6.11.3
-Release: 6%{?dist}
+Release: 7%{?dist}
 Summary: JavaScript runtime
 License: MIT and ASL 2.0 and ISC and BSD
 URL: http://nodejs.org/
@@ -44,6 +44,9 @@ Patch5: 0001-Disable-failing-tests.patch
 # revert 5900ebe and 4849d03145
 Patch6: 0001-https-segfault.patch
 
+# Fix UCS2 buffer overflow (RHBZ#1620219)
+Patch7: ucs2-buffer-overrrun.patch
+
 BuildRequires: %{?scl_prefix}gyp
 BuildRequires: %{?scl_prefix}scldevel
 BuildRequires: %{?scl_prefix}libuv-devel >= 1.9.1
@@ -131,7 +134,7 @@ The API documentation for the Node.js JavaScript runtime.
 rm -rf deps/npm \
        deps/uv \
        deps/http_parser \
-       deps/zlib 
+       deps/zlib
 
 # remove bundled CA certificates
 #rm -f src/node_root_certs.h
@@ -146,6 +149,9 @@ rm -rf deps/npm \
 # fix segafulting https
 %patch6 -p1
 
+# fix ucs2 buffer overflow
+%patch7 -p1
+
 %build
 # build with debugging symbols and add defines from libuv (#892601)
 # Node's v8 breaks with GCC 8 because of incorrect usage of methods on
@@ -160,7 +166,7 @@ export CXXFLAGS='%{optflags} -g \
                  -D_LARGEFILE_SOURCE \
                  -D_FILE_OFFSET_BITS=64 \
                  -DZLIB_CONST \
-                 -fno-delete-null-pointer-checks -I%{_includedir}' 
+                 -fno-delete-null-pointer-checks -I%{_includedir}'
 
 export LDFLAGS='%{optflags} -L%{_libdir}'
 
@@ -230,10 +236,10 @@ mv %{buildroot}/%{_datadir}/doc/node/gdbinit %{buildroot}/%{_pkgdocdir}/gdbinit
 mv %{buildroot}/%{_datadir}/doc/node/lldbinit %{buildroot}%{_pkgdocdir}/lldbinit
 mv %{buildroot}/%{_datadir}/doc/node/lldb_commands.py %{buildroot}%{_pkgdocdir}/lldb_commands.py
 
-%check 
+%check
 mv test/parallel/test-zlib-failed-init.js test/disabled/
 %{?scl:scl enable %{scl} "}
-python tools/test.py --mode=release parallel -J 
+python tools/test.py --mode=release parallel -J
 %{?scl:"}
 
 %files
@@ -250,7 +256,7 @@ python tools/test.py --mode=release parallel -J
 %license LICENSE
 %doc AUTHORS CHANGELOG.md README.md
 %doc COLLABORATOR_GUIDE.md GOVERNANCE.md CODE_OF_CONDUCT.md
- 
+
 %files devel
 %if %{?with_debug} == 1
 %{_bindir}/node_g
@@ -266,6 +272,10 @@ python tools/test.py --mode=release parallel -J
 %{_pkgdocdir}/html
 
 %changelog
+* Mon Sep 24 2018 Jan Staněk <jstanek@redhat.com> - 6.11.3-7
+- Import upstream fix for CVE-2018-12115
+- Resolves: RHBZ#1621763
+
 * Tue Jun 19 2018 Zuzana Svetlikova <zsvetlik@redhat.com> - 6.11.3-6
 - Resolves: RHBZ#1543198, fix cert segfault (1589027)