diff --git a/0018-curl-7.47.1-CVE-2016-8618.patch b/0018-curl-7.47.1-CVE-2016-8618.patch
new file mode 100644
index 0000000..7465cbe
--- /dev/null
+++ b/0018-curl-7.47.1-CVE-2016-8618.patch
@@ -0,0 +1,49 @@
+From 086eed9d97b860b2c3484038d225a16e406c757d Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 28 Sep 2016 10:15:34 +0200
+Subject: [PATCH] aprintf: detect wrap-around when growing allocation
+
+On 32bit systems we could otherwise wrap around after 2GB and allocate 0
+bytes and crash.
+
+CVE-2016-8618
+
+Bug: https://curl.haxx.se/docs/adv_20161102D.html
+Reported-by: Cure53
+
+Upstream-commit: 8732ec40db652c53fa58cd13e2acb8eab6e40874
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/mprintf.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/lib/mprintf.c b/lib/mprintf.c
+index b6d9a9c..e47c10a 100644
+--- a/lib/mprintf.c
++++ b/lib/mprintf.c
+@@ -1011,16 +1011,19 @@ static int alloc_addbyter(int output, FILE *data)
+     infop->len =0;
+   }
+   else if(infop->len+1 >= infop->alloc) {
+-    char *newptr;
++    char *newptr = NULL;
++    size_t newsize = infop->alloc*2;
+ 
+-    newptr = realloc(infop->buffer, infop->alloc*2);
++    /* detect wrap-around or other overflow problems */
++    if(newsize > infop->alloc)
++      newptr = realloc(infop->buffer, newsize);
+ 
+     if(!newptr) {
+       infop->fail = 1;
+       return -1; /* fail */
+     }
+     infop->buffer = newptr;
+-    infop->alloc *= 2;
++    infop->alloc = newsize;
+   }
+ 
+   infop->buffer[ infop->len ] = outc;
+-- 
+2.7.4
+
diff --git a/curl.spec b/curl.spec
index 71b9252..b48308e 100644
--- a/curl.spec
+++ b/curl.spec
@@ -43,6 +43,9 @@ Patch16:  0016-curl-7.47.1-CVE-2016-8621.patch
 # fix glob parser write/read out of bounds (CVE-2016-8620)
 Patch17:  0017-curl-7.47.1-CVE-2016-8620.patch
 
+# fix double-free in curl_maprintf() (CVE-2016-8618)
+Patch18:  0018-curl-7.47.1-CVE-2016-8618.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
 
@@ -168,6 +171,7 @@ documentation of the library, too.
 %patch15 -p1
 %patch16 -p1
 %patch17 -p1
+%patch18 -p1
 
 # Fedora patches
 %patch101 -p1
@@ -284,6 +288,7 @@ rm -rf $RPM_BUILD_ROOT
 
 %changelog
 * Wed Nov 02 2016 Kamil Dudka <kdudka@redhat.com> 7.47.1-9
+- fix double-free in curl_maprintf() (CVE-2016-8618)
 - fix glob parser write/read out of bounds (CVE-2016-8620)
 - fix out-of-bounds read in curl_getdate() (CVE-2016-8621)
 - fix URL unescape heap overflow via integer truncation (CVE-2016-8622)