diff --git a/pkgs/development/libraries/libxml2/default.nix b/pkgs/development/libraries/libxml2/default.nix
index ab3654cb626b67..c6803683beb911 100644
--- a/pkgs/development/libraries/libxml2/default.nix
+++ b/pkgs/development/libraries/libxml2/default.nix
@@ -10,6 +10,14 @@ stdenv.mkDerivation rec {
     sha256 = "0g336cr0bw6dax1q48bblphmchgihx9p1pjmxdnrd6sh3qci3fgz";
   };
 
+  patches = [
+    (fetchpatch {
+      name = "CVE-2016-4658.patch";
+      url = "https://git.gnome.org/browse/libxml2/patch/?id=c1d1f7121194036608bf555f08d3062a36fd344b";
+      sha256 = "0q7i5qgwgzp2x4r820mqq3nx69bgkd7n0v00j28wa6hndbfaaxmb";
+    })
+  ];
+
   # https://bugzilla.gnome.org/show_bug.cgi?id=766834#c5
   postPatch = "patch -R < " + fetchpatch {
     name = "schemas-validity.patch";