diff --git a/pkgs/by-name/un/unbound/package.nix b/pkgs/by-name/un/unbound/package.nix
index 1a9025a4a9078..69e8bd1b93375 100644
--- a/pkgs/by-name/un/unbound/package.nix
+++ b/pkgs/by-name/un/unbound/package.nix
@@ -1,6 +1,7 @@
 { stdenv
 , lib
 , fetchurl
+, fetchpatch
 , openssl
 , nettle
 , expat
@@ -57,6 +58,14 @@ stdenv.mkDerivation (finalAttrs: {
     hash = "sha256-VrTO7TNjlSIAD9lndVdt34eCuzYXYQcV1/Hnd8XsHb8=";
   };
 
+  patches = [
+    (fetchpatch {
+      name = "CVE-2024-8508.patch";
+      url = "https://nlnetlabs.nl/downloads/unbound/patch_CVE-2024-8508.diff";
+      hash = "sha256-u9een9NSm0WgDYhCIQjLDT743Smm0df7xBXnpPBvhJs=";
+    })
+  ];
+
   outputs = [ "out" "lib" "man" ]; # "dev" would only split ~20 kB
 
   nativeBuildInputs =