diff --git a/debian/changelog b/debian/changelog
index bf9b6138..a3827755 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+firewalld (1.3.3-1~deb12u2) bookworm; urgency=high
+
+  * Non-maintainer upload by the LTS Team.
+  * CVE-2026-4948: fix dbus policy for set{ZoneSettings2,PolicySettings}
+
+ -- Andreas Henriksson <andreas@fatal.se>  Wed, 20 May 2026 10:02:28 +0200
+
 firewalld (1.3.3-1~deb12u1) bookworm; urgency=medium
 
   * Upload to bookworm.
diff --git a/debian/patches/CVE-2026-4948.patch b/debian/patches/CVE-2026-4948.patch
new file mode 100644
index 00000000..b5f26889
--- /dev/null
+++ b/debian/patches/CVE-2026-4948.patch
@@ -0,0 +1,33 @@
+From: Sizhe Zhao <prc.zhao@outlook.com>
+Date: Tue, 31 Mar 2026 20:46:50 +0800
+Subject: fix(policy): use PK_ACTION_CONFIG for
+ set{ZoneSettings2,PolicySettings}
+
+Reference: https://access.redhat.com/security/cve/cve-2026-4948
+(cherry picked from commit 5fb3914ad830feff6cb2b0670457c60a323c6c6c)
+---
+ src/firewall/server/firewalld.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/firewall/server/firewalld.py b/src/firewall/server/firewalld.py
+index 895e963..6142a8d 100644
+--- a/src/firewall/server/firewalld.py
++++ b/src/firewall/server/firewalld.py
+@@ -925,7 +925,7 @@ class FirewallD(slip.dbus.service.Object):
+         log.debug1("getZoneSettings2(%s)", zone)
+         return self.fw.zone.get_config_with_settings_dict(zone)
+ 
+-    @dbus_polkit_require_auth(config.dbus.PK_ACTION_CONFIG_INFO)
++    @dbus_polkit_require_auth(config.dbus.PK_ACTION_CONFIG)
+     @dbus_service_method(config.dbus.DBUS_INTERFACE_ZONE, in_signature='sa{sv}')
+     @dbus_handle_exceptions
+     def setZoneSettings2(self, zone, settings, sender=None):
+@@ -949,7 +949,7 @@ class FirewallD(slip.dbus.service.Object):
+         log.debug1("policy.getPolicySettings(%s)", policy)
+         return self.fw.policy.get_config_with_settings_dict(policy)
+ 
+-    @dbus_polkit_require_auth(config.dbus.PK_ACTION_CONFIG_INFO)
++    @dbus_polkit_require_auth(config.dbus.PK_ACTION_CONFIG)
+     @dbus_service_method(config.dbus.DBUS_INTERFACE_POLICY, in_signature='sa{sv}')
+     @dbus_handle_exceptions
+     def setPolicySettings(self, policy, settings, sender=None):
diff --git a/debian/patches/series b/debian/patches/series
index 8c262ab8..f06968f2 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
 Remove-etc-sysconfig-firewalld-support.patch
 Switch-to-python3.patch
+CVE-2026-4948.patch