diff --git a/meta-oe/recipes-support/lcms/lcms/CVE-2026-42798.patch b/meta-oe/recipes-support/lcms/lcms/CVE-2026-42798.patch
new file mode 100644
index 0000000000..1fc3b0ca6d
--- /dev/null
+++ b/meta-oe/recipes-support/lcms/lcms/CVE-2026-42798.patch
@@ -0,0 +1,38 @@
+From e5638450eafbe2e79b4dbbf9fcbc47998cf35427 Mon Sep 17 00:00:00 2001
+From: Marti Maria <marti.maria@littlecms.com>
+Date: Thu, 19 Feb 2026 08:48:50 +0100
+Subject: [PATCH] Fix for ParseCube integer overflow in LUT allocation
+
+thanks to @zerojackyi for reporting
+
+(cherry picked from commit 6a686019825a89b715d16671f18d049523354176)
+
+CVE: CVE-2026-42798
+Upstream-Status: Backport [https://github.com/mm2/Little-CMS/commit/6a686019825a89b715d16671f18d049523354176]
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/cmscgats.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/src/cmscgats.c b/src/cmscgats.c
+index bccbf58..b099331 100644
+--- a/src/cmscgats.c
++++ b/src/cmscgats.c
+@@ -3128,7 +3128,16 @@ cmsBool ParseCube(cmsIT8* cube, cmsStage** Shaper, cmsStage** CLUT, char title[]
+ 
+             if (lut_size > 0) {
+ 
+-                int nodes = lut_size * lut_size * lut_size;
++                int nodes;
++                
++                /**
++                * Professional LUT‑generation tools (e.g., Nobe LutBake) list 65×65×65 as their highest supported size.                
++                */
++                if (lut_size > 65)
++                    return SynError(cube, "LUT size '%d' is over maximum of 65", lut_size);
++
++                nodes = lut_size * lut_size * lut_size;
++
+ 
+                 cmsFloat32Number* lut_table = _cmsMalloc(cube->ContextID, nodes * 3 * sizeof(cmsFloat32Number));
+                 if (lut_table == NULL) return FALSE;
diff --git a/meta-oe/recipes-support/lcms/lcms_2.16.bb b/meta-oe/recipes-support/lcms/lcms_2.16.bb
index 8a70572907..7544e83578 100644
--- a/meta-oe/recipes-support/lcms/lcms_2.16.bb
+++ b/meta-oe/recipes-support/lcms/lcms_2.16.bb
@@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=e9ce323c4b71c943a785db90142b228a"
 SRC_URI = "${SOURCEFORGE_MIRROR}/lcms/lcms2-${PV}.tar.gz \
         file://CVE-2026-41254_1.patch \
         file://CVE-2026-41254_2.patch \
+        file://CVE-2026-42798.patch \
 "
 SRC_URI[sha256sum] = "d873d34ad8b9b4cea010631f1a6228d2087475e4dc5e763eb81acc23d9d45a51"