diff --git a/debian/changelog b/debian/changelog
index 65cb462948900eb344aa7fa58245341afbebe04a..bc38a3bf1be64a48974a483c09f91df0063261b7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+xorg-server (2:1.20.11-1+deb11u6) bullseye-security; urgency=high
+
+  * composite: Fix use-after-free of the COW (CVE-2023-1393)
+
+ -- Julien Cristau <jcristau@debian.org>  Thu, 23 Mar 2023 11:25:56 +0100
+
 xorg-server (2:1.20.11-1+deb11u5+apertis1) apertis; urgency=medium
 
   * Sync updates from Debian Bullseye Security.
diff --git a/debian/patches/21_composite-Fix-use-after-free-of-the-COW.patch b/debian/patches/21_composite-Fix-use-after-free-of-the-COW.patch
new file mode 100644
index 0000000000000000000000000000000000000000..2fc9c9366c67157ac9fd15583de346e0a3815722
--- /dev/null
+++ b/debian/patches/21_composite-Fix-use-after-free-of-the-COW.patch
@@ -0,0 +1,37 @@
+From 947bd1b3f4a23565bf10879ec41ba06ebe1e1c76 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Mon, 13 Mar 2023 11:08:47 +0100
+Subject: [PATCH xserver] composite: Fix use-after-free of the COW
+
+ZDI-CAN-19866/CVE-2023-1393
+
+If a client explicitly destroys the compositor overlay window (aka COW),
+we would leave a dangling pointer to that window in the CompScreen
+structure, which will trigger a use-after-free later.
+
+Make sure to clear the CompScreen pointer to the COW when the latter gets
+destroyed explicitly by the client.
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Adam Jackson <ajax@redhat.com>
+---
+ composite/compwindow.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/composite/compwindow.c
++++ b/composite/compwindow.c
+@@ -613,6 +613,11 @@ compDestroyWindow(WindowPtr pWin)
+     ret = (*pScreen->DestroyWindow) (pWin);
+     cs->DestroyWindow = pScreen->DestroyWindow;
+     pScreen->DestroyWindow = compDestroyWindow;
++
++    /* Did we just destroy the overlay window? */
++    if (pWin == cs->pOverlayWin)
++        cs->pOverlayWin = NULL;
++
+ /*    compCheckTree (pWin->drawable.pScreen); can't check -- tree isn't good*/
+     return ret;
+ }
diff --git a/debian/patches/series b/debian/patches/series
index 3ba9dbf98e568d39ef2e92d245a717056365b73c..0128192c98f61947210b939a1b3a0f3439137776 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -21,3 +21,4 @@ disable-libgl-in-xwayland.patch
 18_Xi-avoid-integer-truncation-in-length-check-of-ProcX.patch
 19_xkb-reset-the-radio_groups-pointer-to-NULL-after-fre.patch
 20_Xi-fix-potential-use-after-free-in-DeepCopyPointerCl.patch
+21_composite-Fix-use-after-free-of-the-COW.patch