diff --git a/CVE-2024-23301.patch b/CVE-2024-23301.patch
new file mode 100644
index 0000000..a494e73
--- /dev/null
+++ b/CVE-2024-23301.patch
@@ -0,0 +1,34 @@
+From 89b61793d80bc2cb2abe47a7d0549466fb087d16 Mon Sep 17 00:00:00 2001
+From: Johannes Meixner <jsmeix@suse.com>
+Date: Fri, 12 Jan 2024 08:04:40 +0100
+Subject: [PATCH] Make initrd accessible only by root (#3123)
+
+Origin: https://github.com/rear/rear/commit/89b61793d80bc2cb2abe47a7d0549466fb087d16
+
+In pack/GNU/Linux/900_create_initramfs.sh call
+chmod 0600 "$TMP_DIR/$REAR_INITRD_FILENAME"
+to let only 'root' access the ReaR initrd because
+the ReaR recovery system in the initrd can contain secrets
+(not by default but when certain things are explicitly
+configured by the user like SSH keys without passphrase)
+see https://github.com/rear/rear/issues/3122
+and https://bugzilla.opensuse.org/show_bug.cgi?id=1218728
+---
+ usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh b/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
+index 1e0c11039..12be718ed 100644
+--- a/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
++++ b/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
+@@ -125,4 +125,10 @@ case "$REAR_INITRD_COMPRESSION" in
+         fi
+         ;;
+ esac
++
++# Only root should be allowed to access the initrd
++# because the ReaR recovery system can contain secrets
++# cf. https://github.com/rear/rear/issues/3122
++test -s "$TMP_DIR/$REAR_INITRD_FILENAME" && chmod 0600 "$TMP_DIR/$REAR_INITRD_FILENAME"
++
+ popd >/dev/null
diff --git a/rear.spec b/rear.spec
index aade605..bffa9fd 100644
--- a/rear.spec
+++ b/rear.spec
@@ -2,7 +2,7 @@
 
 Name:           rear
 Version:        2.7
-Release:        1
+Release:        2
 License:        GPLv3
 Summary:        Relax-and-Recover is a setup-and-forget Linux bare metal disaster recovery solution
 URL:            http://relax-and-recover.org/
@@ -11,6 +11,7 @@ Source0:        https://github.com/rear/rear/archive/refs/tags/%{version}.tar.gz
 Source1:        rear.cron
 Source2:        rear.service
 Source3:        rear.timer
+Patch0:         CVE-2024-23301.patch
 ExclusiveArch:  x86_64 loongarch64
 Requires:       binutils ethtool gzip iputils parted tar openssl gawk attr bc crontabs iproute
 Requires:       genisoimage util-linux
@@ -72,6 +73,9 @@ rm -rf %{buildroot}
 %doc %{_mandir}/man8/rear.8*
 
 %changelog
+* Mon Jan 15 2024 wangkai <13474090681@163.com> - 2.7-2
+- Fix CVE-2024-23301
+
 * Thu Jan 04 2024 Paul Thomas <paulthomas100199@gmail.com> - 2.7-1
 - update to version 2.7