diff --git a/freerdp-2.11.6-CVE-2026-33984.patch b/freerdp-2.11.6-CVE-2026-33984.patch
new file mode 100644
index 0000000000000000000000000000000000000000..2d5251505a693d0be14c2941b1a43af86fd2c6b9
--- /dev/null
+++ b/freerdp-2.11.6-CVE-2026-33984.patch
@@ -0,0 +1,40 @@
+From dc7fdb165095139be779a4000199bc1706b06ad5 Mon Sep 17 00:00:00 2001
+From: Armin Novak <armin.novak@thincast.com>
+Date: Wed, 25 Mar 2026 09:48:54 +0100
+Subject: [PATCH] [codec,clear] update CLEAR_VBAR_ENTRY::size after alloc
+
+CVE-2026-33984 (GHSA-8469-2xcx-frf6): in resize_vbar_entry() in
+libfreerdp/codec/clear.c, vBarEntry->size is updated to vBarEntry->count
+before the (re)allocation call. If realloc fails, size is inflated while
+pixels still points to the old, smaller buffer. On a subsequent call where
+count <= size (the inflated value), the realloc is skipped and the caller
+writes count * bpp bytes of attacker-controlled pixel data into the
+undersized buffer, causing a heap buffer overflow.
+
+Only update vBarEntry->size after the buffer was successfully reallocated.
+
+Backported from upstream commit dc7fdb165095139be779a4000199bc1706b06ad5
+and adapted to the 2.11.6 clear.c codec code (realloc instead of
+winpr_aligned_recalloc).
+---
+ libfreerdp/codec/clear.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/libfreerdp/codec/clear.c
++++ b/libfreerdp/codec/clear.c
+@@ -565,7 +565,6 @@ static BOOL resize_vbar_entry(CLEAR_CONTEXT* clear, CLEAR_VBAR_ENTRY* vBarEntry)
+ 		const UINT32 oldPos = vBarEntry->size * bpp;
+ 		const UINT32 diffSize = (vBarEntry->count - vBarEntry->size) * bpp;
+ 		BYTE* tmp;
+-		vBarEntry->size = vBarEntry->count;
+ 		tmp = (BYTE*)realloc(vBarEntry->pixels, 1ull * vBarEntry->count * bpp);
+ 
+ 		if (!tmp)
+@@ -574,6 +573,7 @@ static BOOL resize_vbar_entry(CLEAR_CONTEXT* clear, CLEAR_VBAR_ENTRY* vBarEntry)
+ 
+ 		memset(&tmp[oldPos], 0, diffSize);
+ 		vBarEntry->pixels = tmp;
++		vBarEntry->size = vBarEntry->count;
+ 	}
+ 
+ 	if (!vBarEntry->pixels && vBarEntry->size)
diff --git a/freerdp-2.11.6-CVE-2026-33986.patch b/freerdp-2.11.6-CVE-2026-33986.patch
new file mode 100644
index 0000000000000000000000000000000000000000..b5f9f4115599b972bc11197469f5c8e8d85f0a34
--- /dev/null
+++ b/freerdp-2.11.6-CVE-2026-33986.patch
@@ -0,0 +1,45 @@
+From f6e43e208958140074ae9bb93cd0c9045a371c77 Mon Sep 17 00:00:00 2001
+From: Armin Novak <armin.novak@thincast.com>
+Date: Wed, 25 Mar 2026 09:45:56 +0100
+Subject: [PATCH] [codec,h264] update H264_CONTEXT::width,height after alloc
+
+CVE-2026-33986 (GHSA-h6qw-wxvm-hf97): in avc420_ensure_buffer() in
+libfreerdp/codec/h264.c, h264->width and h264->height are updated before
+the YUV buffers are (re)allocated. If any allocation fails the function
+returns FALSE, but the dimensions are already inflated. On the next call
+with the same dimensions the (width != h264->width || height !=
+h264->height) check evaluates to FALSE, the reallocation is skipped, and
+the decoder writes decoded YUV data into the old, undersized buffers,
+causing a heap buffer overflow.
+
+Ensure the width/height values are only updated after the buffers were
+successfully allocated.
+
+Backported from upstream commit f6e43e208958140074ae9bb93cd0c9045a371c77
+and adapted to the 2.11.6 avc420_ensure_buffer() code (_aligned_malloc
+instead of the later yuv_ensure_buffer/winpr_aligned_recalloc refactor).
+---
+ libfreerdp/codec/h264.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/libfreerdp/codec/h264.c
++++ b/libfreerdp/codec/h264.c
+@@ -58,8 +58,6 @@ BOOL avc420_ensure_buffer(H264_CONTEXT* h264, UINT32 stride, UINT32 width, UINT3
+ 		h264->iStride[0] = stride;
+ 		h264->iStride[1] = (stride + 1) / 2;
+ 		h264->iStride[2] = (stride + 1) / 2;
+-		h264->width = width;
+-		h264->height = height;
+ 		_aligned_free(h264->pYUVData[0]);
+ 		_aligned_free(h264->pYUVData[1]);
+ 		_aligned_free(h264->pYUVData[2]);
+@@ -69,6 +67,9 @@ BOOL avc420_ensure_buffer(H264_CONTEXT* h264, UINT32 stride, UINT32 width, UINT3
+ 
+ 		if (!h264->pYUVData[0] || !h264->pYUVData[1] || !h264->pYUVData[2])
+ 			return FALSE;
++
++		h264->width = width;
++		h264->height = height;
+ 	}
+ 
+ 	return TRUE;
diff --git a/freerdp.spec b/freerdp.spec
index 9807401e13535554e6c0ca1cce95ebd710b0d199..fd913e3986d4634c8d3f30267706df6001394606 100644
--- a/freerdp.spec
+++ b/freerdp.spec
@@ -17,7 +17,7 @@
 Summary:        Free implementation of the Remote Desktop Protocol (RDP)
 Name:           freerdp
 Version:        2.11.6
-Release:        14%{?dist}
+Release:        15%{?dist}
 License:        ASL 2.0
 URL:            http://www.freerdp.com/
 Source0:        https://github.com/FreeRDP/FreeRDP/archive/%{version}/%{name}-%{version}.tar.gz
@@ -46,6 +46,8 @@ Patch0022:      freerdp-2.11.6-CVE-2026-24679.patch
 Patch0023:      freerdp-2.11.6-CVE-2026-29774.patch
 Patch0024:      freerdp-2.11.6-CVE-2026-29776.patch
 Patch0025:      freerdp-2.11.6-CVE-2026-44420.patch
+Patch0026:      freerdp-2.11.6-CVE-2026-33984.patch
+Patch0027:      freerdp-2.11.6-CVE-2026-33986.patch
 
 BuildRequires: gcc gcc-c++ alsa-lib-devel cmake cups-devel gsm-devel lame-devel libicu-devel libjpeg-turbo-devel
 BuildRequires: libX11-devel libXcursor-devel libXdamage-devel libXext-devel libXi-devel libXinerama-devel
@@ -245,6 +247,11 @@ find %{buildroot} -name "*.a" -delete
 %{_libdir}/pkgconfig/winpr-tools2.pc
 
 %changelog
+* Thu Jun 25 2026 Xinlong Chen <xinlongchen@tencent.com> - 2.11.6-15
+- [Type] security
+- [DESC] Fix CVE-2026-33984: update CLEAR_VBAR_ENTRY::size after alloc in clear codec
+-        Fix CVE-2026-33986: update H264_CONTEXT::width,height after alloc in h264 codec
+
 * Wed Jun 03 2026 PkgAgent Robot <pkgagent@opencloudos.tech> - 2.11.6-14
 - [Type] security
 - [DESC] Fix CVE-2026-44420: validate capabilitySetLength in cliprdr server caps