diff --git a/9621.patch b/9621.patch
new file mode 100644
index 0000000..b4c3835
--- /dev/null
+++ b/9621.patch
@@ -0,0 +1,36 @@
+From 72119ea71422d2892f2a0475fc282835310f8d9e Mon Sep 17 00:00:00 2001
+From: Cory Quammen <cory.quammen@kitware.com>
+Date: Thu, 29 Sep 2022 13:10:00 -0400
+Subject: [PATCH] vtkXMLTreeReader: protect against possible nullptr
+ dereference
+
+Vulnerability reported at
+https://nvd.nist.gov/vuln/detail/CVE-2021-42521.
+
+Fixes #17818
+
+(cherry picked from commit 9a2fe8ef2ecbf04f811b2e02b71eae8b94aae089)
+---
+ IO/Infovis/vtkXMLTreeReader.cxx | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/IO/Infovis/vtkXMLTreeReader.cxx b/IO/Infovis/vtkXMLTreeReader.cxx
+index 64abca37e96..af64572b27f 100644
+--- a/IO/Infovis/vtkXMLTreeReader.cxx
++++ b/IO/Infovis/vtkXMLTreeReader.cxx
+@@ -217,6 +217,12 @@ int vtkXMLTreeReader::RequestData(
+ 
+   // Get the root element node
+   xmlNode* rootElement = xmlDocGetRootElement(doc);
++  if (!rootElement)
++  {
++    vtkErrorMacro(<< "Could not get root element of document.");
++    return 0;
++  }
++
+   vtkXMLTreeReaderProcessElement(builder, -1, rootElement, this->ReadCharData, this->MaskArrays);
+ 
+   xmlFreeDoc(doc);
+-- 
+GitLab
+
diff --git a/vtk.spec b/vtk.spec
index 3dab677..98fcd3a 100644
--- a/vtk.spec
+++ b/vtk.spec
@@ -40,7 +40,7 @@
 Summary: The Visualization Toolkit - A high level 3D visualization library
 Name: vtk
 Version: 9.1.0
-Release: 17%{?dist}
+Release: 18%{?dist}
 # This is a variant BSD license, a cross between BSD and ZLIB.
 # For all intents, it has the same rights and restrictions as BSD.
 # http://fedoraproject.org/wiki/Licensing/BSD#VTKBSDVariant
@@ -58,6 +58,8 @@ Patch2: vtk-netcdf.patch
 # Duplicate define conflict with Xutil, see:
 # https://gitlab.kitware.com/vtk/vtk/-/issues/18048
 Patch3: vtk-AllValues.patch
+# CVE-2021-42521 - vtkXMLTreeReader: possible nullptr dereference
+Patch4: https://gitlab.kitware.com/vtk/vtk/-/merge_requests/9621.patch
 
 URL: https://vtk.org/
 
@@ -844,6 +846,10 @@ cat xorg.log
 
 
 %changelog
+* Tue Apr 25 2023 Orion Poplawski <orion@nwra.com> - 9.1.0-18
+- Add upstream patch for CVE-2021-42521 - vtkXMLTreeReader: possible nullptr
+  dereference (bz#2189654)
+
 * Thu Jul 28 2022 Orion Poplawski <orion@nwra.com> - 9.1.0-17
 - Remove all of vtkdata/Wrapping to keep vtk-data noarch