diff --git a/pkgs/development/libraries/tpm2-tss/CVE-2023-22745.patch b/pkgs/development/libraries/tpm2-tss/CVE-2023-22745.patch
new file mode 100644
index 0000000000000..d8ee348423d5e
--- /dev/null
+++ b/pkgs/development/libraries/tpm2-tss/CVE-2023-22745.patch
@@ -0,0 +1,113 @@
+diff --git a/src/tss2-rc/tss2_rc.c b/src/tss2-rc/tss2_rc.c
+index 15ced567..4e146593 100644
+--- a/src/tss2-rc/tss2_rc.c
++++ b/src/tss2-rc/tss2_rc.c
+@@ -1,5 +1,8 @@
+ /* SPDX-License-Identifier: BSD-2-Clause */
+-
++#ifdef HAVE_CONFIG_H
++#include "config.h"
++#endif
++#include <assert.h>
+ #include <stdarg.h>
+ #include <stdbool.h>
+ #include <stdio.h>
+@@ -834,7 +837,7 @@ tss_err_handler (TSS2_RC rc)
+ static struct {
+     char name[TSS2_ERR_LAYER_NAME_MAX];
+     TSS2_RC_HANDLER handler;
+-} layer_handler[TPM2_ERROR_TSS2_RC_LAYER_COUNT] = {
++} layer_handler[TPM2_ERROR_TSS2_RC_LAYER_COUNT + 1] = {
+     ADD_HANDLER("tpm" , tpm2_ehandler),
+     ADD_NULL_HANDLER,                       /* layer 1  is unused */
+     ADD_NULL_HANDLER,                       /* layer 2  is unused */
+@@ -869,7 +872,7 @@ unknown_layer_handler(TSS2_RC rc)
+     static __thread char buf[32];
+ 
+     clearbuf(buf);
+-    catbuf(buf, "0x%X", tpm2_error_get(rc));
++    catbuf(buf, "0x%X", rc);
+ 
+     return buf;
+ }
+@@ -966,19 +969,27 @@ Tss2_RC_Decode(TSS2_RC rc)
+         catbuf(buf, "%u:", layer);
+     }
+ 
+-    handler = !handler ? unknown_layer_handler : handler;
+-
+     /*
+      * Handlers only need the error bits. This way they don't
+      * need to concern themselves with masking off the layer
+      * bits or anything else.
+      */
+-    UINT16 err_bits = tpm2_error_get(rc);
+-    const char *e = err_bits ? handler(err_bits) : "success";
+-    if (e) {
+-        catbuf(buf, "%s", e);
++    if (handler) {
++        UINT16 err_bits = tpm2_error_get(rc);
++        const char *e = err_bits ? handler(err_bits) : "success";
++        if (e) {
++            catbuf(buf, "%s", e);
++        } else {
++            catbuf(buf, "0x%X", err_bits);
++        }
+     } else {
+-        catbuf(buf, "0x%X", err_bits);
++        /*
++         * we don't want to drop any bits if we don't know what to do with it
++         * so drop the layer byte since we we already have that.
++         */
++        const char *e = unknown_layer_handler(rc >> 8);
++        assert(e);
++        catbuf(buf, "%s", e);
+     }
+ 
+     return buf;
+diff --git a/test/unit/test_tss2_rc.c b/test/unit/test_tss2_rc.c
+index f4249b7b..c297298d 100644
+--- a/test/unit/test_tss2_rc.c
++++ b/test/unit/test_tss2_rc.c
+@@ -199,7 +199,7 @@ test_custom_handler(void **state)
+      * Test an unknown layer
+      */
+     e = Tss2_RC_Decode(rc);
+-    assert_string_equal(e, "1:0x2A");
++    assert_string_equal(e, "1:0x100");
+ }
+ 
+ static void
+@@ -282,6 +282,23 @@ test_tcti(void **state)
+     assert_string_equal(e, "tcti:Fails to connect to next lower layer");
+ }
+ 
++static void
++test_all_FFs(void **state)
++{
++    (void) state;
++
++    const char *e = Tss2_RC_Decode(0xFFFFFFFF);
++    assert_string_equal(e, "255:0xFFFFFF");
++}
++
++static void
++test_all_FFs_set_handler(void **state)
++{
++    (void) state;
++    Tss2_RC_SetHandler(0xFF, "garbage", custom_err_handler);
++    Tss2_RC_SetHandler(0xFF, NULL, NULL);
++}
++
+ /* link required symbol, but tpm2_tool.c declares it AND main, which
+  * we have a main below for cmocka tests.
+  */
+@@ -313,6 +330,8 @@ main(int argc, char* argv[])
+             cmocka_unit_test(test_esys),
+             cmocka_unit_test(test_mu),
+             cmocka_unit_test(test_tcti),
++            cmocka_unit_test(test_all_FFs),
++            cmocka_unit_test(test_all_FFs_set_handler),
+     };
+ 
+     return cmocka_run_group_tests(tests, NULL, NULL);
diff --git a/pkgs/development/libraries/tpm2-tss/default.nix b/pkgs/development/libraries/tpm2-tss/default.nix
index ec17a2d515a06..32bdb798d1d60 100644
--- a/pkgs/development/libraries/tpm2-tss/default.nix
+++ b/pkgs/development/libraries/tpm2-tss/default.nix
@@ -53,6 +53,9 @@ stdenv.mkDerivation rec {
     # Do not rely on dynamic loader path
     # TCTI loader relies on dlopen(), this patch prefixes all calls with the output directory
     ./no-dynamic-loader-path.patch
+    # Backport of https://github.com/tpm2-software/tpm2-tss/commit/306490c8d848c367faa2d9df81f5e69dab46ffb5
+    # Does not apply cleanly because of tests
+    ./CVE-2023-22745.patch
   ];
 
   postPatch = ''
@@ -91,6 +94,6 @@ stdenv.mkDerivation rec {
     homepage = "https://github.com/tpm2-software/tpm2-tss";
     license = licenses.bsd2;
     platforms = platforms.linux;
-    maintainers = with maintainers; [ ];
+    maintainers = with maintainers; [ baloo ];
   };
 }