diff --git a/backport-0005-CVE-2021-41133.patch b/backport-0005-CVE-2021-41133.patch
new file mode 100644
index 0000000..c385b5a
--- /dev/null
+++ b/backport-0005-CVE-2021-41133.patch
@@ -0,0 +1,44 @@
+From 9766ee05b1425db397d2cf23afd24c7f6146a69f Mon Sep 17 00:00:00 2001
+From: Simon McVittie <smcv@collabora.com>
+Date: Wed, 1 Sep 2021 12:45:54 +0100
+Subject: [PATCH] run: Disallow recently-added mount-manipulation syscalls
+
+If we don't allow mount() then we shouldn't allow these either.
+
+Partially fixes GHSA-67h7-w3jq-vh4q.
+
+Thanks: an anonymous reporter
+Signed-off-by: Simon McVittie <smcv@collabora.com>
+
+Conflict:NA
+Reference:https://github.com/flatpak/flatpak/commit/9766ee05b1425db397d2cf23afd24c7f6146a69f
+
+---
+ common/flatpak-run.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/common/flatpak-run.c b/common/flatpak-run.c
+index dad0cfe..2781694 100644
+--- a/common/flatpak-run.c
++++ b/common/flatpak-run.c
+@@ -2838,6 +2838,18 @@ setup_seccomp (FlatpakBwrap   *bwrap,
+      * Return ENOSYS so user-space will fall back to clone().
+      * (GHSA-67h7-w3jq-vh4q; see also https://github.com/moby/moby/commit/9f6b562d) */
+     {SCMP_SYS (clone3), ENOSYS},
++
++    /* New mount manipulation APIs can also change our VFS. There's no
++     * legitimate reason to do these in the sandbox, so block all of them
++     * rather than thinking about which ones might be dangerous.
++     * (GHSA-67h7-w3jq-vh4q) */
++    {SCMP_SYS (open_tree), ENOSYS},
++    {SCMP_SYS (move_mount), ENOSYS},
++    {SCMP_SYS (fsopen), ENOSYS},
++    {SCMP_SYS (fsconfig), ENOSYS},
++    {SCMP_SYS (fsmount), ENOSYS},
++    {SCMP_SYS (fspick), ENOSYS},
++    {SCMP_SYS (mount_setattr), ENOSYS},
+   };
+ 
+   struct
+-- 
+2.27.0
\ No newline at end of file