diff --git a/trunk/PKGBUILD b/trunk/PKGBUILD
index c70cd95..bc32aee 100644
--- a/trunk/PKGBUILD
+++ b/trunk/PKGBUILD
@@ -24,6 +24,8 @@ source=(
   0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
   0001-e1000e-Fix-e1000_check_for_copper_link_ich8lan-retur.patch
   0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
+  2-2-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_state_find..diff::https://patchwork.ozlabs.org/patch/838470/raw
+  4-8-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-lookup..diff::https://patchwork.ozlabs.org/patch/852277/raw
 )
 validpgpkeys=(
   'ABAF11C65A2970B130ABE3C479BE3E4300411886'  # Linus Torvalds
@@ -39,7 +41,9 @@ sha256sums=('f81d59477e90a130857ce18dc02f4fbe5725854911db1e7ba770c7cd350f96a7'
             'ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65'
             '37b86ca3de148a34258e3176dbf41488d9dbd19e93adbd22a062b3c41332ce85'
             'c6e7db7dfd6a07e1fd0e20c3a5f0f315f9c2a366fe42214918b756f9a1c9bfa3'
-            '1d69940c6bf1731fa1d1da29b32ec4f594fa360118fe7b128c9810285ebf13e2')
+            '1d69940c6bf1731fa1d1da29b32ec4f594fa360118fe7b128c9810285ebf13e2'
+            '46a85ae78d43fcc64c88b1ea3655ac5419246c2a058a5320a151c41fd47ef2aa'
+            '44ad0a8503b1b47a2d9d93e4752a5b7e169ef40acb04638c18a2e6664e5345b5')
 
 _kernelname=${pkgbase#linux}
 
@@ -63,6 +67,9 @@ prepare() {
   # https://nvd.nist.gov/vuln/detail/CVE-2017-8824
   patch -Np1 -i ../0002-dccp-CVE-2017-8824-use-after-free-in-DCCP-code.patch
 
+  patch -p1 -i "${srcdir}/2-2-Revert-xfrm-Fix-stack-out-of-bounds-read-in-xfrm_state_find..diff"
+  patch -p1 -i "${srcdir}/4-8-xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-lookup..diff"
+
   cp -Tf ../config .config
 
   if [ "${_kernelname}" != "" ]; then