diff --git a/0001-fix-CVE-2024-2313.patch b/0001-fix-CVE-2024-2313.patch
new file mode 100644
index 0000000000000000000000000000000000000000..f1ad5d65357e5a966e5cb64d14505ed19e9f2fca
--- /dev/null
+++ b/0001-fix-CVE-2024-2313.patch
@@ -0,0 +1,124 @@
+From 7540e3111bf711ad86f8ab63d195f203be915a81 Mon Sep 17 00:00:00 2001
+From: cuilichen <cuilichen@redflag-os.com>
+Date: Mon, 3 Jun 2024 13:21:11 +0800
+Subject: [PATCH] fix-CVE-2024-2313
+
+---
+ src/utils.cpp   | 27 ++++++++++++++++++++++++---
+ src/utils.h     |  1 +
+ tests/utils.cpp | 22 ++++++++++++++++++++++
+ 3 files changed, 47 insertions(+), 3 deletions(-)
+
+diff --git a/src/utils.cpp b/src/utils.cpp
+index 8b070eb..8b30afc 100644
+--- a/src/utils.cpp
++++ b/src/utils.cpp
+@@ -109,6 +109,8 @@ const struct vmlinux_location vmlinux_locs[] = {
+   { nullptr, false },
+ };
+ 
++constexpr std::string_view PROC_KHEADERS_PATH = "/sys/kernel/kheaders.tar.xz";
++
+ static bool pid_in_different_mountns(int pid);
+ static std::vector<std::string>
+ resolve_binary_path(const std::string &cmd, const char *env_paths, int pid);
+@@ -700,6 +702,22 @@ bool is_dir(const std::string& path)
+   return std_filesystem::is_directory(buf, ec);
+ }
+ 
++bool file_exists_and_ownedby_root(const char *f)
++{
++  struct stat st;
++  if (stat(f, &st) == 0)
++  {
++    if (st.st_uid != 0)
++    {
++      LOG(ERROR) << "header file ownership expected to be root: "
++                 << std::string(f);
++      return false;
++    }
++    return true;
++  }
++  return false;
++}
++
+ namespace {
+   struct KernelHeaderTmpDir {
+     KernelHeaderTmpDir(const std::string& prefix) : path{prefix + "XXXXXX"}
+@@ -736,14 +754,14 @@ namespace {
+ #else
+     std_filesystem::path path_prefix{ "/tmp" };
+ #endif
+-    std_filesystem::path path_kheaders{ "/sys/kernel/kheaders.tar.xz" };
++    std_filesystem::path path_kheaders{ PROC_KHEADERS_PATH };
+     if (const char* tmpdir = ::getenv("TMPDIR")) {
+       path_prefix = tmpdir;
+     }
+     path_prefix /= "kheaders-";
+     std_filesystem::path shared_path{ path_prefix.string() + utsname.release };
+ 
+-    if (std_filesystem::exists(shared_path, ec))
++    if (file_exists_and_ownedby_root(shared_path.c_str()))
+     {
+       // already unpacked
+       return shared_path.string();
+@@ -767,7 +785,10 @@ namespace {
+ 
+     KernelHeaderTmpDir tmpdir{path_prefix};
+ 
+-    FILE* tar = ::popen(("tar xf /sys/kernel/kheaders.tar.xz -C " + tmpdir.path).c_str(), "w");
++    FILE *tar = ::popen(("tar xf " + std::string(PROC_KHEADERS_PATH) + " -C " +
++                         tmpdir.path)
++                            .c_str(),
++                        "w");
+     if (!tar) {
+       return "";
+     }
+diff --git a/src/utils.h b/src/utils.h
+index 7c08961..b804749 100644
+--- a/src/utils.h
++++ b/src/utils.h
+@@ -185,6 +185,7 @@ std::vector<std::string> get_wildcard_tokens(const std::string &input,
+ std::vector<int> get_online_cpus();
+ std::vector<int> get_possible_cpus();
+ bool is_dir(const std::string &path);
++bool file_exists_and_ownedby_root(const char *f);
+ std::tuple<std::string, std::string> get_kernel_dirs(
+     const struct utsname &utsname,
+     bool unpack_kheaders = true);
+diff --git a/tests/utils.cpp b/tests/utils.cpp
+index 88d4800..9a192cc 100644
+--- a/tests/utils.cpp
++++ b/tests/utils.cpp
+@@ -363,6 +363,28 @@ TEST(utils, get_pids_for_program)
+   ASSERT_EQ(pids.size(), 0);
+ }
+ 
++TEST(utils, file_exists_and_ownedby_root)
++{
++  std::string tmpdir = "/tmp/bpftrace-test-utils-XXXXXX";
++  std::string file1 = "/ownedby-user";
++  std::string file2 = "/no-exists";
++  if (::mkdtemp(tmpdir.data()) == nullptr)
++  {
++    throw std::runtime_error("creating temporary path for tests failed");
++  }
++
++  int fd;
++  fd = open((tmpdir + file1).c_str(), O_CREAT, S_IRUSR);
++  close(fd);
++  ASSERT_GE(fd, 0);
++
++  EXPECT_FALSE(file_exists_and_ownedby_root((tmpdir + file1).c_str()));
++  EXPECT_FALSE(file_exists_and_ownedby_root((tmpdir + file2).c_str()));
++  EXPECT_TRUE(file_exists_and_ownedby_root("/proc/1/maps"));
++
++  EXPECT_GT(std_filesystem::remove_all(tmpdir), 0);
++}
++
+ } // namespace utils
+ } // namespace test
+ } // namespace bpftrace
+-- 
+2.41.0
+
diff --git a/bpftrace.spec b/bpftrace.spec
index b81b5c740b4e11817065a2414fb5b3c6a50f57d1..cb4de08f3b3f9c8e041d3caafcc2f5981271d53b 100644
--- a/bpftrace.spec
+++ b/bpftrace.spec
@@ -1,4 +1,4 @@
-%define anolis_release 1
+%define anolis_release 2
 %global __os_install_post %{nil}
 %global _find_debuginfo_opts -g
 
@@ -11,6 +11,7 @@ License:        Apache-2.0
 URL:            https://github.com/iovisor/bpftrace
 Source0:        %{url}/archive/v%{version}/%{name}-%{version}.tar.gz
 Patch1:         0001-Workaround-OpaquePointers-for-LLVM-15.patch
+Patch2:		0001-fix-CVE-2024-2313.patch
 
 # Arches will be included as upstream support is added and dependencies are
 # satisfied in the respective arches
@@ -80,6 +81,9 @@ find %{buildroot}%{_datadir}/%{name}/tools -type f -exec \
 %doc README.md CONTRIBUTING-TOOLS.md
 
 %changelog
+* Mon Jun 3 2024 Cui lichen <cuilichen@redflag-os.com> - 0.20.1-2
+- Fix CVE-2024-2313
+
 * Thu Mar 21 2024 mgb01105731 <mgb01105731@alibaba-inc.com> - 0.20.1-1
 - update to 0.20.1