diff --git a/debian/changelog b/debian/changelog
index 31d77b3..ebadba0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+python-ecdsa (0.19.0-2+deepin1) UNRELEASED; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix CVE-2026-33936: reject truncated DER lengths in
+    octet/constructed functions
+
+ -- OpenClaw Security Agent <security@openclaw.ai>  Mon, 27 Apr 2026 15:10:08 +0800
+
 python-ecdsa (0.19.0-2) unstable; urgency=medium
 
   * Team upload.
diff --git a/debian/patches/CVE-2026-33936.patch b/debian/patches/CVE-2026-33936.patch
new file mode 100644
index 0000000..bc4bcdb
--- /dev/null
+++ b/debian/patches/CVE-2026-33936.patch
@@ -0,0 +1,44 @@
+Index: github-python-ecdsa-CVE-2026-33936/src/ecdsa/der.py
+===================================================================
+--- github-python-ecdsa-CVE-2026-33936.orig/src/ecdsa/der.py
++++ github-python-ecdsa-CVE-2026-33936/src/ecdsa/der.py
+@@ -138,6 +138,8 @@ def remove_constructed(string):
+         )
+     tag = s0 & 0x1F
+     length, llen = read_length(string[1:])
++    if length > len(string) - 1 - llen:
++        raise UnexpectedDER("Length longer than the provided buffer")
+     body = string[1 + llen : 1 + llen + length]
+     rest = string[1 + llen + length :]
+     return tag, body, rest
+@@ -161,6 +163,8 @@ def remove_octet_string(string):
+         n = str_idx_as_int(string, 0)
+         raise UnexpectedDER("wanted type 'octetstring' (0x04), got 0x%02x" % n)
+     length, llen = read_length(string[1:])
++    if length > len(string) - 1 - llen:
++        raise UnexpectedDER("Length longer than the provided buffer")
+     body = string[1 + llen : 1 + llen + length]
+     rest = string[1 + llen + length :]
+     return body, rest
+Index: github-python-ecdsa-CVE-2026-33936/src/ecdsa/test_der.py
+===================================================================
+--- github-python-ecdsa-CVE-2026-33936.orig/src/ecdsa/test_der.py
++++ github-python-ecdsa-CVE-2026-33936/src/ecdsa/test_der.py
+@@ -476,3 +476,17 @@ def test_oids(ids):
+     decoded_oid, rest = remove_object(encoded_oid)
+     assert rest == b""
+     assert decoded_oid == ids
++
++def test_remove_octet_string_rejects_truncated_length():
++    # OCTET STRING: declared length 4096, but only 3 bytes present
++    bad = b"\x04\x82\x10\x00" + b"ABC"
++    with pytest.raises(UnexpectedDER, match="Length longer than the provided buffer"):
++        remove_octet_string(bad)
++
++def test_remove_constructed_rejects_truncated_length():
++    # Constructed tag: 0xA0 (context-specific constructed, tag=0)
++    # declared length 4096, but only 3 bytes present
++    bad = b"\xA0\x82\x10\x00" + b"ABC"
++    with pytest.raises(UnexpectedDER, match="Length longer than the provided buffer"):
++        remove_constructed(bad)
++
diff --git a/debian/patches/series b/debian/patches/series
index 365106f..35f57f2 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
 00-remove-temp-test-dir.patch
 remove-six.patch
+CVE-2026-33936.patch