diff --git a/pkgs/development/libraries/openssl/1.1/CVE-2023-4807.patch b/pkgs/development/libraries/openssl/1.1/CVE-2023-4807.patch
new file mode 100644
index 000000000000..7312b41fc740
--- /dev/null
+++ b/pkgs/development/libraries/openssl/1.1/CVE-2023-4807.patch
@@ -0,0 +1,44 @@
+From 4bfac4471f53c4f74c8d81020beb938f92d84ca5 Mon Sep 17 00:00:00 2001
+From: Bernd Edlinger <bernd.edlinger@hotmail.de>
+Date: Tue, 22 Aug 2023 16:07:30 +0200
+Subject: [PATCH] Avoid clobbering non-volatile XMM registers
+
+This affects some Poly1305 assembler functions
+which are only used for certain CPU types.
+
+Remove those functions for Windows targets,
+as a simple interim solution.
+
+Fixes #21522
+
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+Reviewed-by: Paul Dale <pauli@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/21808)
+
+(cherry picked from commit 7b8e27bc2e02238986d89ef0ece067ec1b48e165)
+---
+ crypto/poly1305/asm/poly1305-x86_64.pl | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/crypto/poly1305/asm/poly1305-x86_64.pl b/crypto/poly1305/asm/poly1305-x86_64.pl
+index fa9bfb7a7b81..24bab9d0bcf9 100755
+--- a/crypto/poly1305/asm/poly1305-x86_64.pl
++++ b/crypto/poly1305/asm/poly1305-x86_64.pl
+@@ -195,7 +195,7 @@ sub poly1305_iteration {
+ 	bt	\$`5+32`,%r9		# AVX2?
+ 	cmovc	%rax,%r10
+ ___
+-$code.=<<___	if ($avx>3);
++$code.=<<___	if ($avx>3 && !$win64);
+ 	mov	\$`(1<<31|1<<21|1<<16)`,%rax
+ 	shr	\$32,%r9
+ 	and	%rax,%r9
+@@ -2724,7 +2724,7 @@ sub poly1305_iteration {
+ .cfi_endproc
+ .size	poly1305_blocks_avx512,.-poly1305_blocks_avx512
+ ___
+-if ($avx>3) {
++if ($avx>3 && !$win64) {
+ ########################################################################
+ # VPMADD52 version using 2^44 radix.
+ #
diff --git a/pkgs/development/libraries/openssl/default.nix b/pkgs/development/libraries/openssl/default.nix
index aaee6685cfc5..93786881a520 100644
--- a/pkgs/development/libraries/openssl/default.nix
+++ b/pkgs/development/libraries/openssl/default.nix
@@ -241,6 +241,9 @@ in {
     patches = [
       ./1.1/nix-ssl-cert-file.patch
 
+      # https://www.openssl.org/news/secadv/20230908.txt
+      ./1.1/CVE-2023-4807.patch
+
       (if stdenv.hostPlatform.isDarwin
        then ./use-etc-ssl-certs-darwin.patch
        else ./use-etc-ssl-certs.patch)