diff --git a/pkgs/by-name/xe/xen/package.nix b/pkgs/by-name/xe/xen/package.nix
index 9d6de3bcf682..ca36890f5904 100644
--- a/pkgs/by-name/xe/xen/package.nix
+++ b/pkgs/by-name/xe/xen/package.nix
@@ -3,6 +3,7 @@
   stdenv,
   testers,
   fetchgit,
+  fetchpatch,
   replaceVars,
 
   # Xen
@@ -184,6 +185,20 @@ stdenv.mkDerivation (finalAttrs: {
     ./0001-makefile-efi-output-directory.patch
 
     (replaceVars ./0002-scripts-external-executable-calls.patch scriptDeps)
+
+    # XSA 472
+    (fetchpatch {
+      url = "https://xenbits.xen.org/xsa/xsa472-1.patch";
+      hash = "sha256-6k/X7KFno9uBG0mUtJxl7TMavaRs2Xlj9JlW9ai6p0k=";
+    })
+    (fetchpatch {
+      url = "https://xenbits.xen.org/xsa/xsa472-2.patch";
+      hash = "sha256-BisdztU9Wa5nIGmHo4IikqYPHdEhBehHaNqj1IuBe6I=";
+    })
+    (fetchpatch {
+      url = "https://xenbits.xen.org/xsa/xsa472-3.patch";
+      hash = "sha256-rikOofQeuLNMBkdQS3xzmwh7BlgMOTMSsQcAOEzNOso=";
+    })
   ];
 
   outputs = [