diff --git a/SPECS-SIGNED/edk2-hvloader-signed/edk2-hvloader-signed.spec b/SPECS-SIGNED/edk2-hvloader-signed/edk2-hvloader-signed.spec
index ec98ea66e73..a1412372eee 100644
--- a/SPECS-SIGNED/edk2-hvloader-signed/edk2-hvloader-signed.spec
+++ b/SPECS-SIGNED/edk2-hvloader-signed/edk2-hvloader-signed.spec
@@ -11,7 +11,7 @@
 Summary:        Signed HvLoader.efi for %{buildarch} systems
 Name:           edk2-hvloader-signed-%{buildarch}
 Version:        %{GITDATE}git%{GITCOMMIT}
-Release:        17%{?dist}
+Release:        18%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -74,6 +74,9 @@ popd
 /boot/efi/HvLoader.efi
 
 %changelog
+* Mon Jun 15 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 20240524git3e722403cd16-18
+- Bump release for consistency with edk2 spec.
+
 * Wed May 06 2026 Sumedh Sharma <sumsharma@microsoft.com> - 20240524git3e722403cd16-17
 - Bump release for consistency with edk2 spec.
 
diff --git a/SPECS/edk2/CVE-2026-34182.patch b/SPECS/edk2/CVE-2026-34182.patch
new file mode 100644
index 00000000000..40f5ed9220f
--- /dev/null
+++ b/SPECS/edk2/CVE-2026-34182.patch
@@ -0,0 +1,107 @@
+From 4719b3d0c6e241c8b65ca77cd2e6971b8e39ffb4 Mon Sep 17 00:00:00 2001
+From: AllSpark <allspark@microsoft.com>
+Date: Mon, 15 Jun 2026 06:57:10 +0000
+Subject: [PATCH] Reject potentially forged encrypted CMS AuthEnvelopedData
+ messages
+
+Signed-off-by: rpm-build <rpm-build>
+Upstream-reference: AI Backport of https://github.com/openssl/openssl/commit/7947e6a81eb8776802f159fb6762cb7fcf7e34c7.patch
+---
+ .../OpensslLib/openssl/crypto/cms/cms_enc.c    | 18 +++++++++++++-----
+ .../OpensslLib/openssl/crypto/cms/cms_env.c    |  7 ++++---
+ .../OpensslLib/openssl/crypto/cms/cms_local.h  |  2 +-
+ 3 files changed, 18 insertions(+), 9 deletions(-)
+
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_enc.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_enc.c
+index a3909ba..64f7389 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_enc.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_enc.c
+@@ -22,7 +22,8 @@
+ /* Return BIO based on EncryptedContentInfo and key */
+ 
+ BIO *ossl_cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec,
+-                                        const CMS_CTX *cms_ctx)
++                                        const CMS_CTX *cms_ctx,
++                                        int auth)
+ {
+     BIO *b;
+     EVP_CIPHER_CTX *ctx;
+@@ -99,13 +100,20 @@ BIO *ossl_cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec,
+             goto err;
+         }
+         if ((EVP_CIPHER_get_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER)) {
++            if (!auth) {
++                ERR_raise(ERR_LIB_CMS, CMS_R_CIPHER_AEAD_IN_ENVELOPED_DATA);
++                goto err;
++            }
+             piv = aparams.iv;
+-            if (ec->taglen > 0
+-                    && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG,
+-                                           ec->taglen, ec->tag) <= 0) {
++
++            if (ec->taglen < 4 || ec->taglen > 16
++                || EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, (int)ec->taglen, ec->tag) <= 0) {
+                 ERR_raise(ERR_LIB_CMS, CMS_R_CIPHER_AEAD_SET_TAG_ERROR);
+                 goto err;
+             }
++        } else if (auth) {
++            ERR_raise(ERR_LIB_CMS, CMS_R_UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM);
++            goto err;
+         }
+     }
+     len = EVP_CIPHER_CTX_get_key_length(ctx);
+@@ -250,5 +258,5 @@ BIO *ossl_cms_EncryptedData_init_bio(const CMS_ContentInfo *cms)
+     if (enc->encryptedContentInfo->cipher && enc->unprotectedAttrs)
+         enc->version = 2;
+     return ossl_cms_EncryptedContent_init_bio(enc->encryptedContentInfo,
+-                                              ossl_cms_get0_cmsctx(cms));
++                                              ossl_cms_get0_cmsctx(cms), 0);
+ }
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_env.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_env.c
+index 156a3f7..cb11d8c 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_env.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_env.c
+@@ -1111,7 +1111,8 @@ static BIO *cms_EnvelopedData_Decryption_init_bio(CMS_ContentInfo *cms)
+ {
+     CMS_EncryptedContentInfo *ec = cms->d.envelopedData->encryptedContentInfo;
+     BIO *contentBio = ossl_cms_EncryptedContent_init_bio(ec,
+-                                                         ossl_cms_get0_cmsctx(cms));
++                                                         ossl_cms_get0_cmsctx(cms),
++                                                         0);
+     EVP_CIPHER_CTX *ctx = NULL;
+ 
+     if (contentBio == NULL)
+@@ -1147,7 +1148,7 @@ static BIO *cms_EnvelopedData_Encryption_init_bio(CMS_ContentInfo *cms)
+     /* Get BIO first to set up key */
+ 
+     ec = env->encryptedContentInfo;
+-    ret = ossl_cms_EncryptedContent_init_bio(ec, ossl_cms_get0_cmsctx(cms));
++    ret = ossl_cms_EncryptedContent_init_bio(ec, ossl_cms_get0_cmsctx(cms), 0);
+ 
+     /* If error end of processing */
+     if (!ret)
+@@ -1199,7 +1200,7 @@ BIO *ossl_cms_AuthEnvelopedData_init_bio(CMS_ContentInfo *cms)
+         ec->tag = aenv->mac->data;
+         ec->taglen = aenv->mac->length;
+     }
+-    ret = ossl_cms_EncryptedContent_init_bio(ec, ossl_cms_get0_cmsctx(cms));
++    ret = ossl_cms_EncryptedContent_init_bio(ec, ossl_cms_get0_cmsctx(cms), 1);
+ 
+     /* If error or no cipher end of processing */
+     if (ret == NULL || ec->cipher == NULL)
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_local.h b/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_local.h
+index 15b4a29..6f6f954 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_local.h
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_local.h
+@@ -429,7 +429,7 @@ int ossl_cms_set1_ias(CMS_IssuerAndSerialNumber **pias, X509 *cert);
+ int ossl_cms_set1_keyid(ASN1_OCTET_STRING **pkeyid, X509 *cert);
+ 
+ BIO *ossl_cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec,
+-                                        const CMS_CTX *ctx);
++                                        const CMS_CTX *ctx, int auth);
+ BIO *ossl_cms_EncryptedData_init_bio(const CMS_ContentInfo *cms);
+ int ossl_cms_EncryptedContent_init(CMS_EncryptedContentInfo *ec,
+                                    const EVP_CIPHER *cipher,
+-- 
+2.45.4
+
diff --git a/SPECS/edk2/edk2.spec b/SPECS/edk2/edk2.spec
index 3f2dfe618ca..09fd7186dde 100644
--- a/SPECS/edk2/edk2.spec
+++ b/SPECS/edk2/edk2.spec
@@ -56,7 +56,7 @@ Distribution:   Azure Linux
 
 Name:       edk2
 Version:    %{GITDATE}git%{GITCOMMIT}
-Release:    17%{?dist}
+Release:    18%{?dist}
 Summary:    UEFI firmware for 64-bit virtual machines
 License:    Apache-2.0 AND (BSD-2-Clause OR GPL-2.0-or-later) AND BSD-2-Clause-Patent AND BSD-3-Clause AND BSD-4-Clause AND ISC AND MIT AND LicenseRef-Fedora-Public-Domain
 URL:        https://www.tianocore.org
@@ -152,6 +152,7 @@ Patch1014: CVE-2026-22796.patch
 Patch1015: CVE-2025-69419.patch
 Patch1016: CVE-2026-28389.patch
 Patch1017: CVE-2026-28390.patch
+Patch1018: CVE-2026-34182.patch
 
 # python3-devel and libuuid-devel are required for building tools.
 # python3-devel is also needed for varstore template generation and
@@ -799,6 +800,9 @@ done
 %endif
 
 %changelog
+* Mon Jun 15 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 20240524git3e722403cd16-18
+- Patch for CVE-2026-34182
+
 * Wed May 06 2026 Sumedh Sharma <sumsharma@microsoft.com> - 20240524git3e722403cd16-17
 - Enable build_aarch64 to build arm64 firmware bins
 - Disable OVMF compilation on aarch64 hosts due to missing cross gcc-x86_64-linux-gnu