diff --git a/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-3209.patch b/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-3209.patch
new file mode 100644
index 0000000..885db3b
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-3209.patch
@@ -0,0 +1,51 @@
+https://bugs.gentoo.org/551752
+
+From 9f7c594c006289ad41169b854d70f5da6e400a2a Mon Sep 17 00:00:00 2001
+From: Petr Matousek <pmatouse@redhat.com>
+Date: Sun, 24 May 2015 10:53:44 +0200
+Subject: [PATCH] pcnet: force the buffer access to be in bounds during tx
+
+4096 is the maximum length per TMD and it is also currently the size of
+the relay buffer pcnet driver uses for sending the packet data to QEMU
+for further processing. With packet spanning multiple TMDs it can
+happen that the overall packet size will be bigger than sizeof(buffer),
+which results in memory corruption.
+
+Fix this by only allowing to queue maximum sizeof(buffer) bytes.
+
+This is CVE-2015-3209.
+
+[Fixed 3-space indentation to QEMU's 4-space coding standard.
+--Stefan]
+
+Signed-off-by: Petr Matousek <pmatouse@redhat.com>
+Reported-by: Matt Tait <matttait@google.com>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+---
+ hw/net/pcnet.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
+index bdfd38f..68b9981 100644
+--- a/hw/net/pcnet.c
++++ b/hw/net/pcnet.c
+@@ -1241,6 +1241,14 @@ static void pcnet_transmit(PCNetState *s)
+         }
+ 
+         bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);
++
++        /* if multi-tmd packet outsizes s->buffer then skip it silently.
++           Note: this is not what real hw does */
++        if (s->xmit_pos + bcnt > sizeof(s->buffer)) {
++            s->xmit_pos = -1;
++            goto txdone;
++        }
++
+         s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr),
+                          s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s));
+         s->xmit_pos += bcnt;
+-- 
+2.2.0.rc0.207.ga3a616c
+
diff --git a/app-emulation/qemu/qemu-2.3.0-r1.ebuild b/app-emulation/qemu/qemu-2.3.0-r2.ebuild
similarity index 99%
rename from app-emulation/qemu/qemu-2.3.0-r1.ebuild
rename to app-emulation/qemu/qemu-2.3.0-r2.ebuild
index 5a08f4e..d78a2a7 100644
--- a/app-emulation/qemu/qemu-2.3.0-r1.ebuild
+++ b/app-emulation/qemu/qemu-2.3.0-r2.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2015 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/app-emulation/qemu/qemu-2.3.0-r1.ebuild,v 1.2 2015/05/13 23:11:02 vapier Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-emulation/qemu/qemu-2.3.0-r2.ebuild,v 1.1 2015/06/12 14:19:29 vapier Exp $
 
 EAPI=5
 
@@ -261,6 +261,7 @@ src_prepare() {
 
 	epatch "${FILESDIR}"/qemu-1.7.0-cflags.patch
 	epatch "${FILESDIR}"/${P}-CVE-2015-3456.patch #549404
+	epatch "${FILESDIR}"/${P}-CVE-2015-3209.patch #551752
 	[[ -n ${BACKPORTS} ]] && \
 		EPATCH_FORCE=yes EPATCH_SUFFIX="patch" EPATCH_SOURCE="${S}/patches" \
 			epatch