diff --git a/CVE-2020-27347.patch b/CVE-2020-27347.patch
new file mode 100644
index 0000000000000000000000000000000000000000..fe335b307e14a748af736933a0d695761ad57045
--- /dev/null
+++ b/CVE-2020-27347.patch
@@ -0,0 +1,30 @@
+From a868bacb46e3c900530bed47a1c6f85b0fbe701c Mon Sep 17 00:00:00 2001
+From: nicm <nicm>
+Date: Thu, 29 Oct 2020 16:33:01 +0000
+Subject: [PATCH] Do not write after the end of the array and overwrite the
+ stack when colon-separated SGR sequences contain empty arguments. Reported by
+ Sergey Nizovtsev.
+
+---
+ input.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/input.c b/input.c
+index 42a60c92a..c280c0d97 100644
+--- a/input.c
++++ b/input.c
+@@ -1976,8 +1976,13 @@ input_csi_dispatch_sgr_colon(struct input_ctx *ictx, u_int i)
+ 				free(copy);
+ 				return;
+ 			}
+-		} else
++		} else {
+ 			n++;
++			if (n == nitems(p)) {
++				free(copy);
++				return;
++			}
++		}
+ 		log_debug("%s: %u = %d", __func__, n - 1, p[n - 1]);
+ 	}
+ 	free(copy);
diff --git a/tmux.spec b/tmux.spec
index aaa2b23f9f7a071ac594674cf7c5071552312984..58d64ccab154fead3c0024a80e2493acbf5a7b76 100644
--- a/tmux.spec
+++ b/tmux.spec
@@ -2,7 +2,7 @@
 
 Name:           tmux
 Version:        2.9a
-Release:        1
+Release:        2
 Summary:        A terminal multiplexer
 
 License:        ISC and BSD
@@ -10,6 +10,8 @@ URL:            https://tmux.github.io/
 Source0:        https://github.com/%{name}/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz
 Source1:        bash_completion_tmux.sh
 
+Patch1:        CVE-2020-27347.patch
+
 BuildRequires:  gcc libevent-devel ncurses-devel libutempter-devel
 
 %description
@@ -63,5 +65,8 @@ fi
 %{_mandir}/man1/%{name}.1.gz
 
 %changelog
+* Sat Nov 28 2020 wangye <wangye70@huawei.com> - 2.9a-2
+- fix CVE
+
 * Fri Oct 11 2019 openEuler Buildteam <buildteam@openeuler.org> - 2.9a-1
 - Package init