diff --git a/CHANGELOG.md b/CHANGELOG.md
index 77f4e5427..42db1a99d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -60,6 +60,8 @@ All notable changes to this project will be documented in this file.
 ### Fixed
 
 - hbase: link to phoenix server jar ([#811]).
+- spark: Fix CVE-2024-36114 in Spark 3.5.1 by upgrading a dependency.
+  Spark 3.5.2 is not affected. ([#921])
 - trino: Correctly report Trino version ([#881]).
 
 [#783]: https://github.com/stackabletech/docker-images/pull/783
@@ -103,6 +105,7 @@ All notable changes to this project will be documented in this file.
 [#913]: https://github.com/stackabletech/docker-images/pull/913
 [#914]: https://github.com/stackabletech/docker-images/pull/914
 [#920]: https://github.com/stackabletech/docker-images/pull/920
+[#921]: https://github.com/stackabletech/docker-images/pull/921
 
 ## [24.7.0] - 2024-07-24
 
diff --git a/spark-k8s/stackable/patches/3.5.1/002-CVE-2024-36114-upgrade-aircompressor.patch b/spark-k8s/stackable/patches/3.5.1/002-CVE-2024-36114-upgrade-aircompressor.patch
new file mode 100644
index 000000000..29247f97c
--- /dev/null
+++ b/spark-k8s/stackable/patches/3.5.1/002-CVE-2024-36114-upgrade-aircompressor.patch
@@ -0,0 +1,33 @@
+Fix CVE-2024-36114
+see https://github.com/stackabletech/vulnerabilities/issues/834
+
+Aircompressor is a library with ports of the Snappy, LZO, LZ4, and
+Zstandard compression algorithms to Java. All decompressor
+implementations of Aircompressor (LZ4, LZO, Snappy, Zstandard) can crash
+the JVM for certain input, and in some cases also leak the content of
+other memory of the Java process (which could contain sensitive
+information). When decompressing certain data, the decompressors try to
+access memory outside the bounds of the given byte arrays or byte
+buffers. Because Aircompressor uses the JDK class sun.misc.Unsafe to
+speed up memory access, no additional bounds checks are performed and
+this has similar security consequences as out-of-bounds access in C or
+C++, namely it can lead to non-deterministic behavior or crash the JVM.
+Users should update to Aircompressor 0.27 or newer where these issues
+have been fixed. When decompressing data from untrusted users, this can
+be exploited for a denial-of-service attack by crashing the JVM, or to
+leak other sensitive information from the Java process. There are no
+known workarounds for this issue.
+
+diff --git a/pom.xml b/pom.xml
+index 6cca7db7bf8..fb9254e0cd9 100644
+--- a/pom.xml
++++ b/pom.xml
+@@ -2558,7 +2558,7 @@
+       <dependency>
+         <groupId>io.airlift</groupId>
+         <artifactId>aircompressor</artifactId>
+-        <version>0.26</version>
++        <version>0.27</version>
+       </dependency>
+       <dependency>
+         <groupId>org.apache.orc</groupId>