diff --git a/SOURCES/udisks-2.9.4-ext-mount-options.patch b/SOURCES/udisks-2.9.4-ext-mount-options.patch
new file mode 100644
index 0000000..475eaec
--- /dev/null
+++ b/SOURCES/udisks-2.9.4-ext-mount-options.patch
@@ -0,0 +1,54 @@
+From 2d5d2b7570b0f44c14b34b5dc831f174205c10f2 Mon Sep 17 00:00:00 2001
+From: Tomas Bzatek <tbzatek@redhat.com>
+Date: Wed, 15 Sep 2021 14:34:49 +0200
+Subject: [PATCH] mount options: Always use errors=remount-ro for ext
+ filesystems
+
+Default mount options are focused primarily on data safety, mounting
+damaged ext2/3/4 filesystem as readonly would indicate something's wrong.
+---
+ data/builtin_mount_options.conf            | 9 +++++++++
+ src/tests/dbus-tests/test_80_filesystem.py | 6 ++++++
+ 2 files changed, 15 insertions(+)
+
+diff --git a/data/builtin_mount_options.conf b/data/builtin_mount_options.conf
+index 37715cfa4..e0bd0ee1f 100644
+--- a/data/builtin_mount_options.conf
++++ b/data/builtin_mount_options.conf
+@@ -27,3 +27,12 @@ f2fs_allow=discard,nodiscard,compress_algorithm,compress_log_size,compress_exten
+ btrfs_allow=compress,compress-force,datacow,nodatacow,datasum,nodatasum,degraded,device,discard,nodiscard,subvol,subvolid,space_cache
+ 
+ f2fs_allow=discard,nodiscard,compress_algorithm,compress_log_size,compress_extension,alloc_mode
++
++ext2_defaults=errors=remount-ro
++ext2_allow=errors=remount-ro
++
++ext3_defaults=errors=remount-ro
++ext3_allow=errors=remount-ro
++
++ext4_defaults=errors=remount-ro
++ext4_allow=errors=remount-ro
+diff --git a/src/tests/dbus-tests/test_80_filesystem.py b/src/tests/dbus-tests/test_80_filesystem.py
+index 019880f57..2d1933240 100644
+--- a/src/tests/dbus-tests/test_80_filesystem.py
++++ b/src/tests/dbus-tests/test_80_filesystem.py
+@@ -321,6 +321,8 @@ def test_mount_auto(self):
+         _ret, out = self.run_command('mount | grep %s' % block_fs_dev)
+         self.assertIn(mnt_path, out)
+         self.assertIn('ro', out)
++        if self._fs_name.startswith('ext'):
++            self.assertIn('errors=remount-ro', out)
+ 
+         # dbus mountpoint
+         dbus_mounts = self.get_property(block_fs, '.Filesystem', 'MountPoints')
+@@ -478,6 +480,10 @@ def test_custom_option(self, should_fail, dbus_option, should_be_present, config
+         if self._fs_name == "udf":
+             test_custom_option(self, False, None, False, "[defaults]\ndefaults=\nallow=exec,noexec,nodev,nosuid,atime,noatime,nodiratime,ro,rw,sync,dirsync,noload,uid=ignore,uid=forget\n")
+             test_custom_option(self, True, "uid=notallowed", True, "[defaults]\nallow=exec,noexec,nodev,nosuid,atime,noatime,nodiratime,ro,rw,sync,dirsync,noload,uid=ignore\n")
++        if self._fs_name.startswith("ext"):
++            test_custom_option(self, False, "errors=remount-ro", True, "", match_mount_option="errors=remount-ro")
++            test_custom_option(self, True, "errors=panic", False, "")
++            test_custom_option(self, True, "errors=continue", False, "")
+ 
+         # udev rules overrides
+         test_readonly(self, False, "", udev_rules_content = { "UDISKS_MOUNT_OPTIONS_DEFAULTS": "rw" })
diff --git a/SPECS/udisks2.spec b/SPECS/udisks2.spec
index bb6d6fd..e26adf2 100644
--- a/SPECS/udisks2.spec
+++ b/SPECS/udisks2.spec
@@ -56,7 +56,7 @@
 Name:    udisks2
 Summary: Disk Manager
 Version: 2.9.0
-Release: 7%{?dist}
+Release: 8%{?dist}
 License: GPLv2+
 Group:   System Environment/Libraries
 URL:     https://github.com/storaged-project/udisks
@@ -73,6 +73,8 @@ Patch13: udisks-2.9.1-iscsi-Always-flush-interface-property-changes.patch
 Patch14: udisks-2.9.1-zram-Always-flush-interface-property-changes.patch
 Patch15: udisks-2.9.2-udisksdaemonutil-Refactor-udisks_daemon_util_trigger.patch
 Patch16: udisks-2.9.2-udiskslinuxmanager-Trigger-uevent-after-loop-device-setup.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2004422
+Patch17: udisks-2.9.4-ext-mount-options.patch
 Patch20: udisks-2.10.0-tests-drive_ata-apm.patch
 Patch21: udisks-2.10.0-tests-no-dev_disk-by-path.patch
 Patch22: tests-disable-zram.patch
@@ -290,6 +292,7 @@ This package contains module for VDO management.
 %patch14 -p1
 %patch15 -p1
 %patch16 -p1
+%patch17 -p1
 %patch20 -p1
 %patch21 -p1
 %patch22 -p1
@@ -485,6 +488,9 @@ fi
 %endif
 
 %changelog
+* Mon Oct 25 2021 Tomas Bzatek <tbzatek@redhat.com> - 2.9.0-8
+- CVE-2021-3802: Harden the default mount options for ext filesystems (#2004422)
+
 * Fri Apr 23 2021 Tomas Bzatek <tbzatek@redhat.com> - 2.9.0-7
 - Do not build udisks2-zram (#1923078)
 - Fix Drive.ATA test failures (#1926827)