new file mode 100644
@@ -0,0 +1,36 @@
+From bec94ccae65fd40ec6cc417f395cb250dc6bdc1a Mon Sep 17 00:00:00 2001
+From: TristanInSec <tristan.mtn@gmail.com>
+Date: Tue, 12 May 2026 06:01:57 -0400
+Subject: [PATCH] Fix heap OOB read in VLAN decapsulation memmove
+
+In lldpd_decode(), the VLAN decapsulation memmove shifts frame data
+4 bytes left starting at offset 2*ETHER_ADDR_LEN. The source pointer
+is correctly offset by +4, but the length argument uses the full
+remaining frame length (s - 2*ETHER_ADDR_LEN) instead of accounting
+for the 4-byte shift (s - 2*ETHER_ADDR_LEN - 4).
+
+When the received frame fills the hardware MTU allocation exactly,
+the memmove reads 4 bytes past the end of the heap buffer.
+
+CVE: CVE-2026-46433
+Upstream-Status: Backport [https://github.com/lldpd/lldpd/commit/ca931be63a9cae0fcd8e9b6ae4e916d49f141cd6]
+
+(cherry picked from commit ca931be63a9cae0fcd8e9b6ae4e916d49f141cd6)
+Signed-off-by: Deepak Rathore <deeratho@cisco.com>
+---
+ src/daemon/lldpd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/daemon/lldpd.c b/src/daemon/lldpd.c
+index 4859fb8..d6249bb 100644
+--- a/src/daemon/lldpd.c
++++ b/src/daemon/lldpd.c
+@@ -572,7 +572,7 @@ lldpd_decode(struct lldpd *cfg, char *frame, int s, struct lldpd_hardware *hardw
+ /* VLAN decapsulation means to shift 4 bytes left the frame from
+ * offset 2*ETHER_ADDR_LEN */
+ memmove(frame + 2 * ETHER_ADDR_LEN, frame + 2 * ETHER_ADDR_LEN + 4,
+- s - 2 * ETHER_ADDR_LEN);
++ s - 2 * ETHER_ADDR_LEN - 4);
+ s -= 4;
+ }
+
@@ -10,6 +10,7 @@ SRC_URI = "\
file://lldpd.init.d \
file://lldpd.default \
file://run-ptest \
+ file://CVE-2026-46433.patch \
"
SRC_URI[sha256sum] = "4b320675d608901a4a0d4feff8f96bb846d4913d914b0cf75b7d0ae80490f2f7"