diff --git a/0010-curl-7.82.0-CVE-2022-32208.patch b/0010-curl-7.82.0-CVE-2022-32208.patch
new file mode 100644
index 0000000..34e7d2e
--- /dev/null
+++ b/0010-curl-7.82.0-CVE-2022-32208.patch
@@ -0,0 +1,70 @@
+From d36661703e16bd740a3a928041b1e697a6617b98 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 9 Jun 2022 09:27:24 +0200
+Subject: [PATCH] krb5: return error properly on decode errors
+
+Bug: https://curl.se/docs/CVE-2022-32208.html
+CVE-2022-32208
+Reported-by: Harry Sintonen
+Closes #9051
+
+Upstream-commit: 6ecdf5136b52af747e7bda08db9a748256b1cd09
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/krb5.c | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/lib/krb5.c b/lib/krb5.c
+index 787137c..6f9e1f7 100644
+--- a/lib/krb5.c
++++ b/lib/krb5.c
+@@ -140,11 +140,8 @@ krb5_decode(void *app_data, void *buf, int len,
+   enc.value = buf;
+   enc.length = len;
+   maj = gss_unwrap(&min, *context, &enc, &dec, NULL, NULL);
+-  if(maj != GSS_S_COMPLETE) {
+-    if(len >= 4)
+-      strcpy(buf, "599 ");
++  if(maj != GSS_S_COMPLETE)
+     return -1;
+-  }
+ 
+   memcpy(buf, dec.value, dec.length);
+   len = curlx_uztosi(dec.length);
+@@ -506,6 +503,7 @@ static CURLcode read_data(struct connectdata *conn,
+ {
+   int len;
+   CURLcode result;
++  int nread;
+ 
+   result = socket_read(fd, &len, sizeof(len));
+   if(result)
+@@ -514,7 +512,10 @@ static CURLcode read_data(struct connectdata *conn,
+   if(len) {
+     /* only realloc if there was a length */
+     len = ntohl(len);
+-    buf->data = Curl_saferealloc(buf->data, len);
++    if(len > CURL_MAX_INPUT_LENGTH)
++      len = 0;
++    else
++      buf->data = Curl_saferealloc(buf->data, len);
+   }
+   if(!len || !buf->data)
+     return CURLE_OUT_OF_MEMORY;
+@@ -522,8 +523,11 @@ static CURLcode read_data(struct connectdata *conn,
+   result = socket_read(fd, buf->data, len);
+   if(result)
+     return result;
+-  buf->size = conn->mech->decode(conn->app_data, buf->data, len,
+-                                 conn->data_prot, conn);
++  nread = conn->mech->decode(conn->app_data, buf->data, len,
++                             conn->data_prot, conn);
++  if(nread < 0)
++    return CURLE_RECV_ERROR;
++  buf->size = (size_t)nread;
+   buf->index = 0;
+   return CURLE_OK;
+ }
+-- 
+2.35.3
+
diff --git a/curl.spec b/curl.spec
index 900ce65..e5bed52 100644
--- a/curl.spec
+++ b/curl.spec
@@ -1,7 +1,7 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 7.82.0
-Release: 5%{?dist}
+Release: 6%{?dist}
 License: MIT
 Source0: https://curl.se/download/%{name}-%{version}.tar.xz
 Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc
@@ -37,6 +37,9 @@ Patch8: 0008-curl-7.82.0-CVE-2022-27779.patch
 # fix too eager reuse of TLS and SSH connections (CVE-2022-27782)
 Patch9: 0009-curl-7.82.0-CVE-2022-27782.patch
 
+# fix FTP-KRB bad message verification (CVE-2022-32208)
+Patch10: 0010-curl-7.82.0-CVE-2022-32208.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
 
@@ -220,6 +223,7 @@ be installed.
 %patch7 -p1
 %patch8 -p1
 %patch9 -p1
+%patch10 -p1
 
 # Fedora patches
 %patch101 -p1
@@ -447,6 +451,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
 
 %changelog
+* Wed Jun 29 2022 Kamil Dudka <kdudka@redhat.com> - 7.82.0-6
+- fix FTP-KRB bad message verification (CVE-2022-32208)
+
 * Wed May 11 2022 Kamil Dudka <kdudka@redhat.com> - 7.82.0-5
 - fix too eager reuse of TLS and SSH connections (CVE-2022-27782)
 - do not accept cookies for TLD with trailing dot (CVE-2022-27779)