diff --git a/xen.spec b/xen.spec
index 3c8922b..844667f 100644
--- a/xen.spec
+++ b/xen.spec
@@ -114,6 +114,7 @@ Patch48: xsa431.patch
 Patch49: xen.python3.12.patch
 Patch50: xen.ocaml5.fixes.patch
 Patch51: xsa433-4.17.patch
+Patch52: xsa433-bugfix.patch
 
 
 %if %build_qemutrad
@@ -332,6 +333,7 @@ manage Xen virtual machines.
 %patch 50 -p1
 %endif
 %patch 51 -p1
+%patch 52 -p1
 
 # qemu-xen-traditional patches
 pushd tools/qemu-xen-traditional
@@ -939,6 +941,9 @@ fi
 %endif
 
 %changelog
+* Mon Jul 31 2023 Michael Young <m.a.young@durham.ac.uk> - 4.17.1-8
+- bugfix for x86/AMD: Zenbleed [XSA-433, CVE-2023-20593]
+
 * Tue Jul 25 2023 Michael Young <m.a.young@durham.ac.uk>
 - adjust OCaml patch condition so eln builds work
 
diff --git a/xsa433-bugfix.patch b/xsa433-bugfix.patch
new file mode 100644
index 0000000..8ad4eda
--- /dev/null
+++ b/xsa433-bugfix.patch
@@ -0,0 +1,29 @@
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Subject: x86/amd: Fix DE_CFG truncation in amd_check_zenbleed()
+
+This line:
+
+	val &= ~chickenbit;
+
+ends up truncating val to 32 bits, and turning off various errata workarounds
+in Zen2 systems.
+
+Fixes: f91c5ea97067 ("x86/amd: Mitigations for Zenbleed")
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+
+diff --git a/xen/arch/x86/cpu/amd.c b/xen/arch/x86/cpu/amd.c
+index 3ed06f670491..df2681b7c455 100644
+--- a/xen/arch/x86/cpu/amd.c
++++ b/xen/arch/x86/cpu/amd.c
+@@ -909,8 +909,8 @@ void __init detect_zen2_null_seg_behaviour(void)
+ void amd_check_zenbleed(void)
+ {
+ 	const struct cpu_signature *sig = &this_cpu(cpu_sig);
+-	unsigned int good_rev, chickenbit = (1 << 9);
+-	uint64_t val, old_val;
++	unsigned int good_rev;
++	uint64_t val, old_val, chickenbit = (1 << 9);
+ 
+ 	/*
+ 	 * If we're virtualised, we can't do family/model checks safely, and