diff --git a/rear-CVE-2024-23301.patch b/rear-CVE-2024-23301.patch
new file mode 100644
index 0000000..1361f52
--- /dev/null
+++ b/rear-CVE-2024-23301.patch
@@ -0,0 +1,32 @@
+From 89b61793d80bc2cb2abe47a7d0549466fb087d16 Mon Sep 17 00:00:00 2001
+From: Johannes Meixner <jsmeix@suse.com>
+Date: Fri, 12 Jan 2024 08:04:40 +0100
+Subject: [PATCH] Make initrd accessible only by root (#3123)
+
+In pack/GNU/Linux/900_create_initramfs.sh call
+chmod 0600 "$TMP_DIR/$REAR_INITRD_FILENAME"
+to let only 'root' access the ReaR initrd because
+the ReaR recovery system in the initrd can contain secrets
+(not by default but when certain things are explicitly
+configured by the user like SSH keys without passphrase)
+see https://github.com/rear/rear/issues/3122
+and https://bugzilla.opensuse.org/show_bug.cgi?id=1218728
+---
+ usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh b/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
+index 1e0c11039..12be718ed 100644
+--- a/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
++++ b/usr/share/rear/pack/GNU/Linux/900_create_initramfs.sh
+@@ -125,4 +125,10 @@ case "$REAR_INITRD_COMPRESSION" in
+         fi
+         ;;
+ esac
++
++# Only root should be allowed to access the initrd
++# because the ReaR recovery system can contain secrets
++# cf. https://github.com/rear/rear/issues/3122
++test -s "$TMP_DIR/$REAR_INITRD_FILENAME" && chmod 0600 "$TMP_DIR/$REAR_INITRD_FILENAME"
++
+ popd >/dev/null
diff --git a/rear.spec b/rear.spec
index eca8c50..63174f8 100644
--- a/rear.spec
+++ b/rear.spec
@@ -3,7 +3,7 @@
 
 Name: rear
 Version: 2.7
-Release: 3%{?dist}
+Release: 4%{?dist}
 Summary: Relax-and-Recover is a Linux disaster recovery and system migration tool
 URL: https://relax-and-recover.org
 License: GPL-3.0-only
@@ -57,6 +57,10 @@ Patch109: rear-skip-useless-xfs-mount-options-RHEL-10478.patch
 # https://github.com/rear/rear/commit/060fef89b6968f0c8f254e6f612eff839b83c057
 Patch110: rear-fix-compatibility-with-newer-systemd-bz2254871.patch
 
+# make initrd accessible only by root
+# https://github.com/rear/rear/commit/89b61793d80bc2cb2abe47a7d0549466fb087d16
+Patch111: rear-CVE-2024-23301.patch
+
 ######################
 # downstream patches #
 ######################
@@ -195,6 +199,9 @@ install -m 0644 %{SOURCE3} %{buildroot}%{_docdir}/%{name}/
 
 #-- CHANGELOG -----------------------------------------------------------------#
 %changelog
+* Tue Feb 06 2024 Lukáš Zaoral <lzaoral@redhat.com> - 2.7-4
+- make initrd accessible only by root (CVE-2024-23301)
+
 * Tue Feb 06 2024 Lukáš Zaoral <lzaoral@redhat.com> - 2.7-3
 - fix unusable recovery with newer systemd (rbhz#2254871)