diff --git a/backport-CVE-2024-36387-mod_http2-early-exit-if-bb-is-null.patch b/backport-CVE-2024-36387-mod_http2-early-exit-if-bb-is-null.patch
new file mode 100644
index 0000000000000000000000000000000000000000..02ce132720dd3712a606fce05488e200cb7ae4c6
--- /dev/null
+++ b/backport-CVE-2024-36387-mod_http2-early-exit-if-bb-is-null.patch
@@ -0,0 +1,39 @@
+From 62aa64e5aea21dd969db97aded4443c98c0735ac Mon Sep 17 00:00:00 2001
+From: Eric Covener <covener@apache.org>
+Date: Mon, 24 Jun 2024 17:51:42 +0000
+Subject: [PATCH] Merge r1918548 from trunk:
+
+mod_http2: early exit if bb is null
+
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1918557 13f79535-47bb-0310-9956-ffa450edef68
+
+Conflict:NA
+Reference:https://github.com/apache/httpd/commit/62aa64e5aea21dd969db97aded4443c98c0735ac
+
+---
+ modules/http2/h2_c2.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/modules/http2/h2_c2.c b/modules/http2/h2_c2.c
+index a955200944..c65a521ab8 100644
+--- a/modules/http2/h2_c2.c
++++ b/modules/http2/h2_c2.c
+@@ -370,6 +370,13 @@ static apr_status_t h2_c2_filter_out(ap_filter_t* f, apr_bucket_brigade* bb)
+     h2_conn_ctx_t *conn_ctx = h2_conn_ctx_get(f->c);
+     apr_status_t rv;
+ 
++   if (bb == NULL) {
++#if !AP_MODULE_MAGIC_AT_LEAST(20180720, 1)
++        f->c->data_in_output_filters = 0;
++#endif
++        return APR_SUCCESS;
++    }
++
+     ap_assert(conn_ctx);
+ #if AP_HAS_RESPONSE_BUCKETS
+     if (!conn_ctx->has_final_response) {
+-- 
+2.33.0
+
diff --git a/httpd.spec b/httpd.spec
index 625499001a599fff44574ebec0769d77d566ed18..db1cbd78aaa8e6ae6f18c02502f3f8e1bd4db351 100644
--- a/httpd.spec
+++ b/httpd.spec
@@ -8,7 +8,7 @@
 Name:             httpd
 Summary:          Apache HTTP Server
 Version:          2.4.58
-Release:          4
+Release:          5
 License:          ASL 2.0
 URL:              https://httpd.apache.org/
 Source0:          https://archive.apache.org/dist/httpd/httpd-%{version}.tar.bz2
@@ -77,6 +77,7 @@ Patch23:          backport-CVE-2023-38709-header-validation-after-content.patch
 Patch24:          backport-CVE-2024-27316-bail-after-too-many-failed-reads.patch
 Patch25:          backport-remove-dependency-on-xmlstring-header.patch
 Patch26:          backport-only-allocate-a-heap-heap-buffer.patch
+Patch27:          backport-CVE-2024-36387-mod_http2-early-exit-if-bb-is-null.patch
 
 BuildRequires:    gcc autoconf pkgconfig findutils xmlto perl-interpreter perl-generators systemd-devel
 BuildRequires:    zlib-devel libselinux-devel lua-devel brotli-devel
@@ -514,11 +515,17 @@ exit $rv
 %{_rpmconfigdir}/macros.d/macros.httpd
 
 %changelog
-* Tue Jul 09 2024 chengyechun <chengyechun1@huawei.com> - 2.4.58-4
-- Type:bugfix
+* Tue Jul 02 2024 wangziliang <wangziliang@kylinos.cn> - 2.4.58-5
+- Type:CVE
+- ID:CVE-2024-36387
+- SUG:NA
+- DESC:fix CVE-2024-36387
+
+* Sat Jun 08 2024 yueyuankun <yueyuankun@kylinos.cn> - 2.4.58-4
+- Type:NA
 - ID:NA
 - SUG:NA
-- DESC:replace openEuler with _vendor
+- DESC: replace openEuler with _vendor
 
 * Wed May 22 2024 zhangyaqi <zhagnyaqi@kylinos.cn> - 2.4.58-3
 - Type:bugfix