diff --git a/meta-oe/recipes-graphics/mesa/files/0001-util-Move-STACK_ARRAY-into-util.patch b/meta-oe/recipes-graphics/mesa/files/0001-util-Move-STACK_ARRAY-into-util.patch
new file mode 100644
index 0000000..49aa1b0
--- /dev/null
+++ b/meta-oe/recipes-graphics/mesa/files/0001-util-Move-STACK_ARRAY-into-util.patch
@@ -0,0 +1,83 @@
+From 8dfa16221058327dbfed11aafff963ac73334756 Mon Sep 17 00:00:00 2001
+From: Shaik Moin <careers.myinfo@gmail.com>
+Date: Fri, 19 Jun 2026 16:40:02 +0530
+Subject: [PATCH] util: Move STACK_ARRAY into util
+
+It's useful for more than just Vulkan.
+
+Reference:
+https://gitlab.freedesktop.org/mesa/mesa/-/commit/f43cff3728e58c377d1e03b13db62514217abfe1.patch
+
+Signed-off-by: Shaik Moin <careers.myinfo@gmail.com>
+---
+ src/util/meson.build   |  1 +
+ src/util/stack_array.h | 45 ++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 46 insertions(+)
+ create mode 100644 src/util/stack_array.h
+
+diff --git a/src/util/meson.build b/src/util/meson.build
+index 6e77a2f..9c37972 100644
+--- a/src/util/meson.build
++++ b/src/util/meson.build
+@@ -110,6 +110,7 @@ files_mesa_util = files(
+   'softfloat.h',
+   'sparse_array.c',
+   'sparse_array.h',
++  'stack_array.h',
+   'string_buffer.c',
+   'string_buffer.h',
+   'strndup.h',
+diff --git a/src/util/stack_array.h b/src/util/stack_array.h
+new file mode 100644
+index 0000000..e2133bd
+--- /dev/null
++++ b/src/util/stack_array.h
+@@ -0,0 +1,45 @@
++/*
++ * Copyright © 2025 Collabora, Ltd.
++ *
++ * Permission is hereby granted, free of charge, to any person obtaining a
++ * copy of this software and associated documentation files (the "Software"),
++ * to deal in the Software without restriction, including without limitation
++ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
++ * and/or sell copies of the Software, and to permit persons to whom the
++ * Software is furnished to do so, subject to the following conditions:
++ *
++ * The above copyright notice and this permission notice (including the next
++ * paragraph) shall be included in all copies or substantial portions of the
++ * Software.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
++ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
++ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
++ * IN THE SOFTWARE.
++ */
++
++#include <stdlib.h>
++
++#ifndef UTIL_STACK_ARRAY_H
++#define UTIL_STACK_ARRAY_H
++
++#define STACK_ARRAY_SIZE 8
++
++/* Sometimes gcc may claim -Wmaybe-uninitialized for the stack array in some
++ * places it can't verify that when size is 0 nobody down the call chain reads
++ * the array. Please don't try to fix it by zero-initializing the array here
++ * since it's used in a lot of different places. An "if (size == 0) return;"
++ * may work for you.
++ */
++#define STACK_ARRAY(type, name, size) \
++   type _stack_##name[STACK_ARRAY_SIZE]; \
++   type *const name = \
++     ((size) <= STACK_ARRAY_SIZE ? _stack_##name : (type *)malloc((size) * sizeof(type)))
++
++#define STACK_ARRAY_FINISH(name) \
++   if (name != _stack_##name) free(name)
++
++#endif /* UTIL_STACK_ARRAY_H */
+-- 
+2.34.1
+
diff --git a/meta-oe/recipes-graphics/mesa/files/CVE-2026-40393.patch b/meta-oe/recipes-graphics/mesa/files/CVE-2026-40393.patch
new file mode 100644
index 0000000..e35e5a4
--- /dev/null
+++ b/meta-oe/recipes-graphics/mesa/files/CVE-2026-40393.patch
@@ -0,0 +1,103 @@
+From e240e44e1967b9f605225ecddbf07f307952c814 Mon Sep 17 00:00:00 2001
+From: Shaik Moin <careers.myinfo@gmail.com>
+Date: Mon, 8 Jun 2026 12:21:41 +0530
+Subject: [PATCH] spirv: Use STACK_ARRAY instead of NIR_VLA
+
+The number of fields comes from the shader, so it could be a value large
+enough that using alloca would be problematic.
+
+Backport the fix for CVE-2026-40393
+
+CVE: CVE-2026-40393
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/mesa/mesa/-/commit/978fd42b4b7d1e9c0435ffa7e1a4d339cba9b76e]
+
+Patch is refreshed based on code base.
+
+Fixes: 2a023f30a64 ("nir/spirv: Add basic support for types")
+Reviewed-by: Caio Oliveira <caio.oliveira@intel.com>
+Reviewed-by: Ryan Neph <ryanneph@google.com>
+Reviewed-by: Lionel Landwerlin <lionel.g.landwerlin@intel.com>
+Signed-off-by: Shaik Moin <moin.shaik@partner.bmwgroup.com>
+---
+ src/compiler/spirv/spirv_to_nir.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/src/compiler/spirv/spirv_to_nir.c b/src/compiler/spirv/spirv_to_nir.c
+index 79e176a..68da937 100644
+--- a/src/compiler/spirv/spirv_to_nir.c
++++ b/src/compiler/spirv/spirv_to_nir.c
+@@ -26,7 +26,6 @@
+  */
+ 
+ #include "vtn_private.h"
+-#include "nir/nir_vla.h"
+ #include "nir/nir_control_flow.h"
+ #include "nir/nir_constant_expressions.h"
+ #include "nir/nir_deref.h"
+@@ -35,6 +34,7 @@
+ #include "util/format/u_format.h"
+ #include "util/u_math.h"
+ #include "util/u_string.h"
++#include "util/stack_array.h"
+ 
+ #include <stdio.h>
+ 
+@@ -926,7 +926,7 @@ vtn_type_get_nir_type(struct vtn_builder *b, struct vtn_type *type,
+       case vtn_base_type_struct: {
+          bool need_new_struct = false;
+          const uint32_t num_fields = type->length;
+-         NIR_VLA(struct glsl_struct_field, fields, num_fields);
++         STACK_ARRAY(struct glsl_struct_field, fields, num_fields);
+          for (unsigned i = 0; i < num_fields; i++) {
+             fields[i] = *glsl_get_struct_field_data(type->type, i);
+             const struct glsl_type *field_nir_type =
+@@ -936,20 +936,25 @@ vtn_type_get_nir_type(struct vtn_builder *b, struct vtn_type *type,
+                need_new_struct = true;
+             }
+          }
++
++	 const struct glsl_type *result;
+          if (need_new_struct) {
+             if (glsl_type_is_interface(type->type)) {
+-               return glsl_interface_type(fields, num_fields,
++               result = glsl_interface_type(fields, num_fields,
+                                           /* packing */ 0, false,
+                                           glsl_get_type_name(type->type));
+             } else {
+-               return glsl_struct_type(fields, num_fields,
++               result = glsl_struct_type(fields, num_fields,
+                                        glsl_get_type_name(type->type),
+                                        glsl_struct_type_is_packed(type->type));
+             }
+          } else {
+             /* No changes, just pass it on */
+-            return type->type;
++            result = type->type;
+          }
++
++	 STACK_ARRAY_FINISH(fields);
++	 return result;
+       }
+ 
+       case vtn_base_type_image:
+@@ -1519,7 +1524,7 @@ vtn_handle_type(struct vtn_builder *b, SpvOp opcode,
+       val->type->offsets = ralloc_array(b, unsigned, num_fields);
+       val->type->packed = false;
+ 
+-      NIR_VLA(struct glsl_struct_field, fields, count);
++      STACK_ARRAY(struct glsl_struct_field, fields, count);
+       for (unsigned i = 0; i < num_fields; i++) {
+          val->type->members[i] = vtn_get_type(b, w[i + 2]);
+          const char *name = NULL;
+@@ -1575,6 +1580,7 @@ vtn_handle_type(struct vtn_builder *b, SpvOp opcode,
+                                             name ? name : "struct",
+                                             val->type->packed);
+       }
++      STACK_ARRAY_FINISH(fields);
+       break;
+    }
+ 
+-- 
+2.34.1
+
diff --git a/meta-oe/recipes-graphics/mesa/mesa_%.bbappend b/meta-oe/recipes-graphics/mesa/mesa_%.bbappend
new file mode 100644
index 0000000..553264a
--- /dev/null
+++ b/meta-oe/recipes-graphics/mesa/mesa_%.bbappend
@@ -0,0 +1,5 @@
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
+
+SRC_URI += "file://CVE-2026-40393.patch \
+            file://0001-util-Move-STACK_ARRAY-into-util.patch \
+"