diff --git a/backport-0007-CVE-2021-41133.patch b/backport-0007-CVE-2021-41133.patch
new file mode 100644
index 0000000..b85fc0c
--- /dev/null
+++ b/backport-0007-CVE-2021-41133.patch
@@ -0,0 +1,34 @@
+From 1330662f33a55e88bfe18e76de28b7922d91a999 Mon Sep 17 00:00:00 2001
+From: Simon McVittie <smcv@collabora.com>
+Date: Wed, 1 Sep 2021 14:20:29 +0100
+Subject: [PATCH] run: Don't allow unmounting filesystems
+
+If we don't allow mounting filesystems, we shouldn't allow unmounting
+either.
+
+Partially fixes GHSA-67h7-w3jq-vh4q.
+
+Signed-off-by: Simon McVittie <smcv@collabora.com>
+
+Conflict:NA
+Reference:https://github.com/flatpak/flatpak/commit/1330662f33a55e88bfe18e76de28b7922d91a999
+
+---
+ common/flatpak-run.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/common/flatpak-run.c b/common/flatpak-run.c
+index c266dbe..b1a8db5 100644
+--- a/common/flatpak-run.c
++++ b/common/flatpak-run.c
+@@ -2821,6 +2821,8 @@ setup_seccomp (FlatpakBwrap   *bwrap,
+     {SCMP_SYS (unshare), EPERM},
+     {SCMP_SYS (setns), EPERM},
+     {SCMP_SYS (mount), EPERM},
++    {SCMP_SYS (umount), EPERM},
++    {SCMP_SYS (umount2), EPERM},
+     {SCMP_SYS (pivot_root), EPERM},
+ #if defined(__s390__) || defined(__s390x__) || defined(__CRIS__)
+     /* Architectures with CONFIG_CLONE_BACKWARDS2: the child stack
+-- 
+2.27.0
\ No newline at end of file