diff --git a/CVE-2018-12648.patch b/CVE-2018-12648.patch
new file mode 100644
index 0000000..0e960c0
--- /dev/null
+++ b/CVE-2018-12648.patch
@@ -0,0 +1,43 @@
+From 487f4136013d9fa3351b863e5f861463a1cbddcf Mon Sep 17 00:00:00 2001
+From: Victor Rodriguez <victor.rodriguez.bahena@intel.com>
+Date: Sat, 18 Aug 2018 13:54:55 +0000
+Subject: [PATCH] Issue #9 - Fix null-pointer-dereference (CVE-2018-12648)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The WEBP::GetLE32 function in
+XMPFiles/source/FormatSupport/WEBP_Support.hpp in Exempi 2.4.5 has a
+NULL pointer dereference.
+
+https://bugs.freedesktop.org/show_bug.cgi?id=106981
+https://gitlab.freedesktop.org/libopenraw/exempi/issues/9
+
+Signed-off-by: Victor Rodriguez <victor.rodriguez.bahena@intel.com>
+Signed-off-by: Hubert Figuière <hub@figuiere.net>
+---
+ XMPFiles/source/FormatSupport/WEBP_Support.cpp | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/XMPFiles/source/FormatSupport/WEBP_Support.cpp b/XMPFiles/source/FormatSupport/WEBP_Support.cpp
+index ffaf220..4fe705b 100644
+--- a/XMPFiles/source/FormatSupport/WEBP_Support.cpp
++++ b/XMPFiles/source/FormatSupport/WEBP_Support.cpp
+@@ -160,9 +160,11 @@ bool VP8XChunk::xmp()
+ }
+ void VP8XChunk::xmp(bool hasXMP)
+ {
+-    XMP_Uns32 flags = GetLE32(&this->data[0]);
+-    flags ^= (-hasXMP ^ flags) & (1 << XMP_FLAG_BIT);
+-    PutLE32(&this->data[0], flags);
++    if (&this->data[0] != NULL) {
++        XMP_Uns32 flags = GetLE32(&this->data[0]);
++        flags ^= (-hasXMP ^ flags) & (1 << XMP_FLAG_BIT);
++        PutLE32(&this->data[0], flags);
++    }
+ }
+ 
+ Container::Container(WEBP_MetaHandler* handler) : Chunk(NULL, handler)
+-- 
+2.17.1
+
diff --git a/exempi.spec b/exempi.spec
index e89b594..99bb5cb 100644
--- a/exempi.spec
+++ b/exempi.spec
@@ -1,11 +1,12 @@
 Summary:	Library for easy parsing of XMP metadata
 Name:		exempi
 Version:	2.4.5
-Release:	3%{?dist}
+Release:	4%{?dist}
 License:	BSD
 Group:		System Environment/Libraries
 URL:		http://libopenraw.freedesktop.org/wiki/Exempi
 Source0:	http://libopenraw.freedesktop.org/download/%{name}-%{version}.tar.bz2
+Patch0:		CVE-2018-12648.patch
 BuildRequires:	gcc-c++
 BuildRequires:	boost-devel expat-devel zlib-devel pkgconfig
 # Work around for aarch64 support (https://bugzilla.redhat.com/show_bug.cgi?id=925327)
@@ -29,6 +30,7 @@ developing with exempi.
 
 %prep
 %setup -q
+%patch0 -p1
 
 %build
 libtoolize -vi
@@ -63,6 +65,10 @@ rm -rf %{buildroot}%{_libdir}/*.a
 %{_libdir}/pkgconfig/*.pc
 
 %changelog
+* Wed Sep 26 2018 Nikola Forró <nforro@redhat.com> - 2.4.5-4
+- Fix CVE-2018-12648
+  Resolves #1594643
+
 * Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.5-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild