diff --git a/vmtest/config.py b/vmtest/config.py
index 366e4248..9a39cd61 100644
--- a/vmtest/config.py
+++ b/vmtest/config.py
@@ -11,7 +11,7 @@ from typing import Dict, Mapping, NamedTuple, Sequence
 from util import NORMALIZED_MACHINE_NAME
 
 KERNEL_ORG_COMPILER_VERSION = "12.2.0"
-VMTEST_KERNEL_VERSION = 20
+VMTEST_KERNEL_VERSION = 21
 
 
 BASE_KCONFIG = """
diff --git a/vmtest/kbuild.py b/vmtest/kbuild.py
index c7f04e80..3f6e06ae 100644
--- a/vmtest/kbuild.py
+++ b/vmtest/kbuild.py
@@ -94,6 +94,18 @@ _PATCHES = (
         name="s390-mm-make-memory_block_size_bytes-available-for-M.patch",
         versions=((KernelVersion("4.3"), KernelVersion("4.11")),),
     ),
+    _Patch(
+        name="libsubcmd-Fix-use-after-free-for-realloc-.-0.patch",
+        versions=(
+            (KernelVersion("5.16"), KernelVersion("5.16.11")),
+            (KernelVersion("5.11"), KernelVersion("5.15.25")),
+            (KernelVersion("5.5"), KernelVersion("5.10.102")),
+            (KernelVersion("4.20"), KernelVersion("5.4.181")),
+            (KernelVersion("4.15"), KernelVersion("4.19.231")),
+            (KernelVersion("4.10"), KernelVersion("4.14.268")),
+            (KernelVersion("4.5"), KernelVersion("4.9.303")),
+        ),
+    ),
 )
 
 
diff --git a/vmtest/patches/libsubcmd-Fix-use-after-free-for-realloc-.-0.patch b/vmtest/patches/libsubcmd-Fix-use-after-free-for-realloc-.-0.patch
new file mode 100644
index 00000000..76859e1a
--- /dev/null
+++ b/vmtest/patches/libsubcmd-Fix-use-after-free-for-realloc-.-0.patch
@@ -0,0 +1,67 @@
+From 52a9dab6d892763b2a8334a568bd4e2c1a6fde66 Mon Sep 17 00:00:00 2001
+Message-Id: <52a9dab6d892763b2a8334a568bd4e2c1a6fde66.1685663905.git.osandov@osandov.com>
+From: Kees Cook <keescook@chromium.org>
+Date: Sun, 13 Feb 2022 10:24:43 -0800
+Subject: [PATCH] libsubcmd: Fix use-after-free for realloc(..., 0)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+GCC 12 correctly reports a potential use-after-free condition in the
+xrealloc helper. Fix the warning by avoiding an implicit "free(ptr)"
+when size == 0:
+
+In file included from help.c:12:
+In function 'xrealloc',
+    inlined from 'add_cmdname' at help.c:24:2: subcmd-util.h:56:23: error: pointer may be used after 'realloc' [-Werror=use-after-free]
+   56 |                 ret = realloc(ptr, size);
+      |                       ^~~~~~~~~~~~~~~~~~
+subcmd-util.h:52:21: note: call to 'realloc' here
+   52 |         void *ret = realloc(ptr, size);
+      |                     ^~~~~~~~~~~~~~~~~~
+subcmd-util.h:58:31: error: pointer may be used after 'realloc' [-Werror=use-after-free]
+   58 |                         ret = realloc(ptr, 1);
+      |                               ^~~~~~~~~~~~~~~
+subcmd-util.h:52:21: note: call to 'realloc' here
+   52 |         void *ret = realloc(ptr, size);
+      |                     ^~~~~~~~~~~~~~~~~~
+
+Fixes: 2f4ce5ec1d447beb ("perf tools: Finalize subcmd independence")
+Reported-by: Valdis Klētnieks <valdis.kletnieks@vt.edu>
+Signed-off-by: Kees Kook <keescook@chromium.org>
+Tested-by: Valdis Klētnieks <valdis.kletnieks@vt.edu>
+Tested-by: Justin M. Forbes <jforbes@fedoraproject.org>
+Acked-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: linux-hardening@vger.kernel.org
+Cc: Valdis Klētnieks <valdis.kletnieks@vt.edu>
+Link: http://lore.kernel.org/lkml/20220213182443.4037039-1-keescook@chromium.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+---
+ tools/lib/subcmd/subcmd-util.h | 11 ++---------
+ 1 file changed, 2 insertions(+), 9 deletions(-)
+
+diff --git a/tools/lib/subcmd/subcmd-util.h b/tools/lib/subcmd/subcmd-util.h
+index 794a375dad36..b2aec04fce8f 100644
+--- a/tools/lib/subcmd/subcmd-util.h
++++ b/tools/lib/subcmd/subcmd-util.h
+@@ -50,15 +50,8 @@ static NORETURN inline void die(const char *err, ...)
+ static inline void *xrealloc(void *ptr, size_t size)
+ {
+ 	void *ret = realloc(ptr, size);
+-	if (!ret && !size)
+-		ret = realloc(ptr, 1);
+-	if (!ret) {
+-		ret = realloc(ptr, size);
+-		if (!ret && !size)
+-			ret = realloc(ptr, 1);
+-		if (!ret)
+-			die("Out of memory, realloc failed");
+-	}
++	if (!ret)
++		die("Out of memory, realloc failed");
+ 	return ret;
+ }
+ 
+-- 
+2.40.1
+