diff --git a/VERSION-openeuler b/VERSION-openeuler
index 5d3abe88c7c5877275662fbad9c466aa80b7e4b8..17279649094c82abcb02fb2da8b2a36cb6bd2ad0 100644
--- a/VERSION-openeuler
+++ b/VERSION-openeuler
@@ -1 +1 @@
-18.09.0.232
+18.09.0.233
diff --git a/docker-engine-openeuler.spec b/docker-engine-openeuler.spec
index 24c5cde8e6f2d035b8f9afd281b24405c4f75005..57214fe70f1b90d311dc7c546f1299e24d7ad8d6 100644
--- a/docker-engine-openeuler.spec
+++ b/docker-engine-openeuler.spec
@@ -1,6 +1,6 @@
 Name: docker-engine
 Version: 18.09.0
-Release: 232
+Release: 233
 Summary: The open-source application container engine
 Group: Tools/Docker
 
@@ -152,9 +152,6 @@ install -p -m 644 components/engine/contrib/syntax/nano/Dockerfile.nanorc $RPM_B
 /usr/share/zsh/vendor-completions/_docker
 /usr/share/fish/vendor_completions.d/docker.fish
 %doc
-# /%{_mandir}/man1/*
-# /%{_mandir}/man5/*
-# /%{_mandir}/man8/*
 
 %config(noreplace,missingok) /etc/sysconfig/docker
 %config(noreplace,missingok) /etc/sysconfig/docker-storage
@@ -201,6 +198,12 @@ fi
 %endif
 
 %changelog
+* Thu Jun 16 2022 duyiwei <duyiwei@kylinos.cn> - 18.09.0-233
+- Type:bugfix
+- CVE:CVE-2022-24769
+- SUG:NA
+- DESC:fix CVE-2022-24769
+
 * Fri Mar 11 2022 chenjiankun<chenjiankun1@huawei.com> - 18.09.0-232
 - Type:bugfix
 - ID:NA
@@ -375,13 +378,13 @@ fi
 - SUG:NA
 - DESC:runc fix systemd cgroup after memory type changed
 
-* Thu May 6 2021 chenjiankun<chenjiankun1@huawei.com> - 18.09.0-203
+* Thu May 18 2021 chenjiankun<chenjiankun1@huawei.com> - 18.09.0-203
 - Type:bugfix
 - ID:NA
 - SUG:NA
 - DESC:remove go-md2man build require
 
-* Thu Mar 18 2021 xiadanni<xiadanni1@huawei.com> - 18.09.0-202
+* Thu Mar 6 2021 xiadanni<xiadanni1@huawei.com> - 18.09.0-202
 - Type:bugfix
 - ID:NA
 - SUG:NA
diff --git a/patch/0222-docker-fix-CVE-2022-24769.patch b/patch/0222-docker-fix-CVE-2022-24769.patch
new file mode 100644
index 0000000000000000000000000000000000000000..898d0d33ec1fe10a980630b26125092853178488
--- /dev/null
+++ b/patch/0222-docker-fix-CVE-2022-24769.patch
@@ -0,0 +1,81 @@
+From d3bf68367fe708a1d74d89a8d57c9b85c4fd292d Mon Sep 17 00:00:00 2001
+From: build <build@obs.com>
+Date: Thu, 16 Jun 2022 09:53:40 +0800
+Subject: [PATCH] CVE-2022-24769
+
+Signed-off-by: build <build@obs.com>
+---
+ components/engine/daemon/exec_linux.go | 10 ++++------
+ components/engine/daemon/oci.go        | 20 ++++++++++++--------
+ components/engine/oci/defaults.go      |  1 -
+ 3 files changed, 16 insertions(+), 15 deletions(-)
+
+diff --git a/components/engine/daemon/exec_linux.go b/components/engine/daemon/exec_linux.go
+index cd52f48..8720aa9 100644
+--- a/components/engine/daemon/exec_linux.go
++++ b/components/engine/daemon/exec_linux.go
+@@ -21,13 +21,11 @@ func (daemon *Daemon) execSetPlatformOpt(c *container.Container, ec *exec.Config
+ 		}
+ 	}
+ 	if ec.Privileged {
+-		if p.Capabilities == nil {
+-			p.Capabilities = &specs.LinuxCapabilities{}
++		p.Capabilities = &specs.LinuxCapabilities{
++			Bounding:  caps.GetAllCapabilities(),
++			Permitted: caps.GetAllCapabilities(),
++			Effective: caps.GetAllCapabilities(),
+ 		}
+-		p.Capabilities.Bounding = caps.GetAllCapabilities()
+-		p.Capabilities.Permitted = p.Capabilities.Bounding
+-		p.Capabilities.Inheritable = p.Capabilities.Bounding
+-		p.Capabilities.Effective = p.Capabilities.Bounding
+ 	}
+ 	if apparmor.IsEnabled() {
+ 		var appArmorProfile string
+diff --git a/components/engine/daemon/oci.go b/components/engine/daemon/oci.go
+index 52050e2..4148e90 100644
+--- a/components/engine/daemon/oci.go
++++ b/components/engine/daemon/oci.go
+@@ -26,15 +26,19 @@ func setCapabilities(s *specs.Spec, c *container.Container) error {
+ 			return err
+ 		}
+ 	}
+-	s.Process.Capabilities.Effective = caplist
+-	s.Process.Capabilities.Bounding = caplist
+-	s.Process.Capabilities.Permitted = caplist
+-	s.Process.Capabilities.Inheritable = caplist
+ 	// setUser has already been executed here
+-	// if non root drop capabilities in the way execve does
+-	if s.Process.User.UID != 0 {
+-		s.Process.Capabilities.Effective = []string{}
+-		s.Process.Capabilities.Permitted = []string{}
++	if s.Process.User.UID == 0 {
++		s.Process.Capabilities = &specs.LinuxCapabilities{
++			Effective: caplist,
++			Bounding:  caplist,
++			Permitted: caplist,
++		}
++	} else {
++		// Do not set Effective and Permitted capabilities for non-root users,
++		// to match what execve does.
++		s.Process.Capabilities = &specs.LinuxCapabilities{
++			Bounding: caplist,
++		}
+ 	}
+ 	return nil
+ }
+diff --git a/components/engine/oci/defaults.go b/components/engine/oci/defaults.go
+index ff027d8..57cbddb 100644
+--- a/components/engine/oci/defaults.go
++++ b/components/engine/oci/defaults.go
+@@ -61,7 +61,6 @@ func DefaultLinuxSpec() specs.Spec {
+ 			Capabilities: &specs.LinuxCapabilities{
+ 				Bounding:    defaultCapabilities(),
+ 				Permitted:   defaultCapabilities(),
+-				Inheritable: defaultCapabilities(),
+ 				Effective:   defaultCapabilities(),
+ 			},
+ 		},
+-- 
+2.33.0
+
diff --git a/series.conf b/series.conf
index f3edc05034dcc094ec28b294da384cd317f729ae..eefac11f37635f8a62abdf30f663198b2ede501f 100644
--- a/series.conf
+++ b/series.conf
@@ -215,4 +215,5 @@ patch/0218-docker-change-log-level-when-containerd-return-conta.patch
 patch/0219-docker-Fix-container-exited-after-docker-restart-whe.patch
 patch/0220-docker-fix-endpoint-with-name-container_xx-already-e.patch
 patch/0221-docker-fix-Up-292-years-in-status-in-docker-ps-a.patch
+patch/0222-docker-fix-CVE-2022-24769.patch
 #end