diff --git a/pkgs/tools/misc/file/default.nix b/pkgs/tools/misc/file/default.nix
index 3765f913430830..7662bc235544fd 100644
--- a/pkgs/tools/misc/file/default.nix
+++ b/pkgs/tools/misc/file/default.nix
@@ -15,6 +15,8 @@ stdenv.mkDerivation rec {
   nativeBuildInputs = stdenv.lib.optional (stdenv.hostPlatform != stdenv.buildPlatform) file;
   buildInputs = [ zlib ];
 
+  patches = [ ./file-5.33-CVE-2018-10360.patch ];
+
   doCheck = true;
 
 
diff --git a/pkgs/tools/misc/file/file-5.33-CVE-2018-10360.patch b/pkgs/tools/misc/file/file-5.33-CVE-2018-10360.patch
new file mode 100644
index 00000000000000..a489846b10f87c
--- /dev/null
+++ b/pkgs/tools/misc/file/file-5.33-CVE-2018-10360.patch
@@ -0,0 +1,18 @@
+Avoid reading past the end of buffer
+
+CVE-2018-10360
+
+https://github.com/file/file/commit/a642587a9c9e2dd7feacdf513c3643ce26ad3c22
+
+--- a/src/readelf.c
++++ b/src/readelf.c
+@@ -842,7 +842,8 @@ do_core_note(struct magic_set *ms, unsigned char *nbuf, uint32_t type,
+ 
+ 				cname = (unsigned char *)
+ 				    &nbuf[doff + prpsoffsets(i)];
+-				for (cp = cname; *cp && isprint(*cp); cp++)
++				for (cp = cname; cp < nbuf + size && *cp
++				    && isprint(*cp); cp++)
+ 					continue;
+ 				/*
+ 				 * Linux apparently appends a space at the end