diff --git a/meta/recipes-extended/gzip/gzip-1.14/CVE-2026-41991.patch b/meta/recipes-extended/gzip/gzip-1.14/CVE-2026-41991.patch
new file mode 100644
index 0000000000..b1a3644020
--- /dev/null
+++ b/meta/recipes-extended/gzip/gzip-1.14/CVE-2026-41991.patch
@@ -0,0 +1,86 @@
+From 661918c7c0d5acf52508107d6bcdeb72a526ce52 Mon Sep 17 00:00:00 2001
+From: Paul Eggert <eggert@cs.ucla.edu>
+Date: Thu, 16 Apr 2026 12:11:44 -0700
+Subject: [PATCH] gzexe: use -C if lacking mktemp
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+(Problem reported by Michał Majchrowicz.)
+* gzexe.in: If mktemp is needed but not installed,
+use ‘set -C’ to avoid a race when creating a temporary file.
+* zdiff.in: Use the same pattern here, even though the old
+code was probably OK anyway.
+
+CVE: CVE-2026-41991
+Upstream-Status: Backport [https://cgit.git.savannah.gnu.org/cgit/gzip.git/commit/?id=4e6f8b24ab823146ab8776f0b7fe486ab34d4269]
+Signed-off-by: Jaipaul Cheernam <jaipaul.cheernam@est.tech>
+---
+ NEWS     | 13 +++++++++----
+ gzexe.in |  1 +
+ zdiff.in |  7 +++----
+ 3 files changed, 13 insertions(+), 8 deletions(-)
+
+diff --git a/NEWS b/NEWS
+index 881b6b6..3a05d7e 100644
+--- a/NEWS
++++ b/NEWS
+@@ -4,10 +4,6 @@ GNU gzip NEWS                                    -*- outline -*-
+ 
+ ** Bug fixes
+ 
+-  A buffer overflow has been fixed when decompressing an .lzh file
+-  after decompressing a .Z file.
+-  [bug present since the beginning]
+-
+   'gzip -d' no longer omits the last partial output buffer when the
+   input ends unexpectedly on an IBM Z platform.
+   [bug introduced in gzip-1.11]
+@@ -18,6 +14,15 @@ GNU gzip NEWS                                    -*- outline -*-
+   'gzip -S' now rejects suffixes containing '/'.
+   [bug present since the beginning]
+ 
++  A buffer overflow has been fixed when decompressing an .lzh file
++  after decompressing a .Z file.
++  [bug present since the beginning]
++
++  On old-fashioned or limited platforms lacking mktemp, gzexe and
++  zdiff no longer have a race when creating a temporary file.
++  [bug present since the beginning]
++
++
+ ** Changes in behavior
+ 
+   The GZIP environment variable is now silently ignored except for the
+diff --git a/gzexe.in b/gzexe.in
+index 1267d6e..09a2571 100644
+--- a/gzexe.in
++++ b/gzexe.in
+@@ -127,6 +127,7 @@ for i do
+     tmp=`mktemp "${dir}gzexeXXXXXXXXX"`
+   else
+     tmp=${dir}gzexe$$
++    (umask 77; set -C; > "$tmp")
+   fi && { cp -p "$file" "$tmp" 2>/dev/null || cp "$file" "$tmp"; } || {
+     res=$?
+     printf >&2 '%s\n' "$0: cannot copy $file"
+diff --git a/zdiff.in b/zdiff.in
+index a8689a0..c04a8c0 100644
+--- a/zdiff.in
++++ b/zdiff.in
+@@ -156,12 +156,11 @@ case $file2 in
+                           *) TMPDIR=/tmp/;;
+                         esac
+                         if command -v mktemp >/dev/null 2>&1; then
+-                          tmp=`mktemp "${TMPDIR}zdiffXXXXXXXXX"` ||
+-                            exit 2
++                          tmp=`mktemp "${TMPDIR}zdiffXXXXXXXXX"`
+                         else
+-                          set -C
+                           tmp=${TMPDIR}zdiff$$
+-                        fi
++                          (umask 77; set -C; > "$tmp")
++                        fi &&
+                         'gzip' -cdfq -- "$file2" > "$tmp" || exit 2
+                         gzip_status=$(
+                           exec 4>&1
diff --git a/meta/recipes-extended/gzip/gzip_1.14.bb b/meta/recipes-extended/gzip/gzip_1.14.bb
index 99174a58c5..d6bd36f89f 100644
--- a/meta/recipes-extended/gzip/gzip_1.14.bb
+++ b/meta/recipes-extended/gzip/gzip_1.14.bb
@@ -7,6 +7,7 @@ LICENSE = "GPL-3.0-or-later"
 SRC_URI = "${GNU_MIRROR}/gzip/${BP}.tar.gz \
            file://run-ptest \
            file://CVE-2026-41992.patch \
+           file://CVE-2026-41991.patch \
            "
 SRC_URI:append:class-target = " file://wrong-path-fix.patch"
 
