diff --git a/meta-networking/recipes-daemons/lldpd/files/CVE-2026-46433.patch b/meta-networking/recipes-daemons/lldpd/files/CVE-2026-46433.patch
new file mode 100644
index 0000000000..d673fd4389
--- /dev/null
+++ b/meta-networking/recipes-daemons/lldpd/files/CVE-2026-46433.patch
@@ -0,0 +1,36 @@
+From bec94ccae65fd40ec6cc417f395cb250dc6bdc1a Mon Sep 17 00:00:00 2001
+From: TristanInSec <tristan.mtn@gmail.com>
+Date: Tue, 12 May 2026 06:01:57 -0400
+Subject: [PATCH] Fix heap OOB read in VLAN decapsulation memmove
+
+In lldpd_decode(), the VLAN decapsulation memmove shifts frame data
+4 bytes left starting at offset 2*ETHER_ADDR_LEN.  The source pointer
+is correctly offset by +4, but the length argument uses the full
+remaining frame length (s - 2*ETHER_ADDR_LEN) instead of accounting
+for the 4-byte shift (s - 2*ETHER_ADDR_LEN - 4).
+
+When the received frame fills the hardware MTU allocation exactly,
+the memmove reads 4 bytes past the end of the heap buffer.
+
+CVE: CVE-2026-46433
+Upstream-Status: Backport [https://github.com/lldpd/lldpd/commit/ca931be63a9cae0fcd8e9b6ae4e916d49f141cd6]
+
+(cherry picked from commit ca931be63a9cae0fcd8e9b6ae4e916d49f141cd6)
+Signed-off-by: Deepak Rathore <deeratho@cisco.com>
+---
+ src/daemon/lldpd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/daemon/lldpd.c b/src/daemon/lldpd.c
+index 4859fb8..d6249bb 100644
+--- a/src/daemon/lldpd.c
++++ b/src/daemon/lldpd.c
+@@ -572,7 +572,7 @@ lldpd_decode(struct lldpd *cfg, char *frame, int s, struct lldpd_hardware *hardw
+ 		/* VLAN decapsulation means to shift 4 bytes left the frame from
+ 		 * offset 2*ETHER_ADDR_LEN */
+ 		memmove(frame + 2 * ETHER_ADDR_LEN, frame + 2 * ETHER_ADDR_LEN + 4,
+-		    s - 2 * ETHER_ADDR_LEN);
++		    s - 2 * ETHER_ADDR_LEN - 4);
+ 		s -= 4;
+ 	}
+ 
diff --git a/meta-networking/recipes-daemons/lldpd/lldpd_1.0.18.bb b/meta-networking/recipes-daemons/lldpd/lldpd_1.0.18.bb
index a1bf4640b2..9b516237b5 100644
--- a/meta-networking/recipes-daemons/lldpd/lldpd_1.0.18.bb
+++ b/meta-networking/recipes-daemons/lldpd/lldpd_1.0.18.bb
@@ -10,6 +10,7 @@ SRC_URI = "\
     file://lldpd.init.d \
     file://lldpd.default \
     file://run-ptest \
+    file://CVE-2026-46433.patch \
     "
 
 SRC_URI[sha256sum] = "4b320675d608901a4a0d4feff8f96bb846d4913d914b0cf75b7d0ae80490f2f7"
