diff --git a/pkgs/development/tools/parsing/re2c/default.nix b/pkgs/development/tools/parsing/re2c/default.nix
index 482beeff12219d..f11153ec6df13e 100644
--- a/pkgs/development/tools/parsing/re2c/default.nix
+++ b/pkgs/development/tools/parsing/re2c/default.nix
@@ -12,6 +12,30 @@ stdenv.mkDerivation rec {
   };
 
   patches = [
+    (fetchpatch {
+      name = "CVE-2018-21232-part1.patch";
+      url = "https://github.com/skvadrik/re2c/commit/fd634998f813340768c333cdad638498602856e5.patch";
+      sha256 = "1blyg5lyhqd4ymisih65xl0g36ig71ijia4skkkd59rdvj78aiw6";
+    })
+
+    (fetchpatch {
+      name = "CVE-2018-21232-part2.patch";
+      url = "https://github.com/skvadrik/re2c/commit/7b5643476bd99c994c4f51b8143f942982d85521.patch";
+      sha256 = "0rhmgqrinpk49r9x75ygrs14lz72aw5ad5kr6qp9bdyl8gs082qp";
+    })
+
+    (fetchpatch {
+      name = "CVE-2018-21232-part3.patch";
+      url = "https://github.com/skvadrik/re2c/commit/4d9c809355b574f2a58eac119f5e076c48e4d1e2.patch";
+      sha256 = "0k86wg9icw1gkqpf7rq2w6xsq4caxw3rc0zfxf39liwa35027rai";
+    })
+
+    (fetchpatch {
+      name = "CVE-2018-21232-part4.patch";
+      url = "https://github.com/skvadrik/re2c/commit/89be91f3df00657261870adbc590209fdb2bc405.patch";
+      sha256 = "1aygy9va7jwby93chlskwg7z90fn07x5hym0gziwlkx8k900p3a3";
+    })
+
     (fetchpatch {
       name = "CVE-2020-11958.patch";
       url = "https://github.com/skvadrik/re2c/commit/c4603ba5ce229db83a2a4fb93e6d4b4e3ec3776a.patch";