diff --git a/pkgs/development/libraries/db/CVE-2017-10140-4.8-cwd-db_config.patch b/pkgs/development/libraries/db/CVE-2017-10140-4.8-cwd-db_config.patch
new file mode 100644
index 000000000000..ed916fcf4d1f
--- /dev/null
+++ b/pkgs/development/libraries/db/CVE-2017-10140-4.8-cwd-db_config.patch
@@ -0,0 +1,11 @@
+--- a/env/env_open.c.old	2017-06-26 10:32:11.011419981 +0200
++++ b/env/env_open.c	2017-06-26 10:32:46.893721233 +0200
+@@ -473,7 +473,7 @@
+ 	env->db_mode = mode == 0 ? DB_MODE_660 : mode;
+ 
+ 	/* Read the DB_CONFIG file. */
+-	if ((ret = __env_read_db_config(env)) != 0)
++	if (env->db_home != NULL && (ret = __env_read_db_config(env)) != 0)
+ 		return (ret);
+ 
+ 	/*
diff --git a/pkgs/development/libraries/db/CVE-2017-10140-cwd-db_config.patch b/pkgs/development/libraries/db/CVE-2017-10140-cwd-db_config.patch
new file mode 100644
index 000000000000..652e962bbe18
--- /dev/null
+++ b/pkgs/development/libraries/db/CVE-2017-10140-cwd-db_config.patch
@@ -0,0 +1,11 @@
+--- db-5.3.28/src/env/env_open.c.old	2017-06-26 10:32:11.011419981 +0200
++++ db-5.3.28/src/env/env_open.c	2017-06-26 10:32:46.893721233 +0200
+@@ -473,7 +473,7 @@
+ 	env->db_mode = mode == 0 ? DB_MODE_660 : mode;
+ 
+ 	/* Read the DB_CONFIG file. */
+-	if ((ret = __env_read_db_config(env)) != 0)
++	if (env->db_home != NULL && (ret = __env_read_db_config(env)) != 0)
+ 		return (ret);
+ 
+ 	/*
diff --git a/pkgs/development/libraries/db/db-4.8.nix b/pkgs/development/libraries/db/db-4.8.nix
index bce91e5a9401..76e30e921ba1 100644
--- a/pkgs/development/libraries/db/db-4.8.nix
+++ b/pkgs/development/libraries/db/db-4.8.nix
@@ -3,7 +3,7 @@
 import ./generic.nix (args // rec {
   version = "4.8.30";
   sha256 = "0ampbl2f0hb1nix195kz1syrqqxpmvnvnfvphambj7xjrl3iljg0";
-  extraPatches = [ ./clang-4.8.patch ];
+  extraPatches = [ ./clang-4.8.patch ./CVE-2017-10140-4.8-cwd-db_config.patch ];
 
   drvArgs.hardeningDisable = [ "format" ];
   drvArgs.doCheck = false;
diff --git a/pkgs/development/libraries/db/db-5.3.nix b/pkgs/development/libraries/db/db-5.3.nix
index 066eca4e63d8..7894e4c73262 100644
--- a/pkgs/development/libraries/db/db-5.3.nix
+++ b/pkgs/development/libraries/db/db-5.3.nix
@@ -3,5 +3,5 @@
 import ./generic.nix (args // rec {
   version = "5.3.28";
   sha256 = "0a1n5hbl7027fbz5lm0vp0zzfp1hmxnz14wx3zl9563h83br5ag0";
-  extraPatches = [ ./clang-5.3.patch ];
+  extraPatches = [ ./clang-5.3.patch ./CVE-2017-10140-cwd-db_config.patch ];
 })
diff --git a/pkgs/development/libraries/db/db-6.0.nix b/pkgs/development/libraries/db/db-6.0.nix
index b7c5667b883e..bafca3bd52d2 100644
--- a/pkgs/development/libraries/db/db-6.0.nix
+++ b/pkgs/development/libraries/db/db-6.0.nix
@@ -4,5 +4,5 @@ import ./generic.nix (args // rec {
   version = "6.0.20";
   sha256 = "00r2aaglq625y8r9xd5vw2y070plp88f1mb2gbq3kqsl7128lsl0";
   license = stdenv.lib.licenses.agpl3;
-  extraPatches = [ ./clang-6.0.patch ];
+  extraPatches = [ ./clang-6.0.patch ./CVE-2017-10140-cwd-db_config.patch ];
 })
diff --git a/pkgs/development/libraries/db/db-6.2.nix b/pkgs/development/libraries/db/db-6.2.nix
index f897e3744af1..96f7668aa903 100644
--- a/pkgs/development/libraries/db/db-6.2.nix
+++ b/pkgs/development/libraries/db/db-6.2.nix
@@ -4,5 +4,5 @@ import ./generic.nix (args // rec {
   version = "6.2.23";
   sha256 = "1isxx4jfmnh913jzhp8hhfngbk6dsg46f4kjpvvc56maj64jqqa7";
   license = stdenv.lib.licenses.agpl3;
-  extraPatches = [ ./clang-6.0.patch ];
+  extraPatches = [ ./clang-6.0.patch ./CVE-2017-10140-cwd-db_config.patch ];
 })