diff --git a/changes.txt b/changes.txt
index 49f92ecd..c5cd5630 100644
--- a/changes.txt
+++ b/changes.txt
@@ -334,6 +334,7 @@ Changes in 1.9 (not yet released)
 
 --------------------------
 Changes in 1.8.6 
+- Security: Fix buffer overflow caused by malformed md2 files. Thanks @procfs for reporting (https://irrlicht.sourceforge.io/forum/viewtopic.php?f=7&t=52785)
 - Makefile now only adds CFLAGS instead of overwriting them.
 - Several spelling fixes (Patch #455). Thanks @J. Puydt
 
diff --git a/source/Irrlicht/CMD2MeshFileLoader.cpp b/source/Irrlicht/CMD2MeshFileLoader.cpp
index f32e4e3a..bb342fd5 100644
--- a/source/Irrlicht/CMD2MeshFileLoader.cpp
+++ b/source/Irrlicht/CMD2MeshFileLoader.cpp
@@ -151,6 +151,13 @@ bool CMD2MeshFileLoader::loadFile(io::IReadFile* file, CAnimatedMeshMD2* mesh)
 		return false;
 	}
 
+	const int MAX_FRAME_SIZE = MD2_MAX_VERTS*4+128;
+	if ( header.frameSize > MAX_FRAME_SIZE )
+	{
+		os::Printer::log("MD2 Loader: Invalid large frame size in header", file->getFileName(), ELL_WARNING);
+		return false;
+	}
+
 	//
 	// prepare mesh and allocate memory
 	//
@@ -232,7 +239,7 @@ bool CMD2MeshFileLoader::loadFile(io::IReadFile* file, CAnimatedMeshMD2* mesh)
 
 	// read Vertices
 
-	u8 buffer[MD2_MAX_VERTS*4+128];
+	u8 buffer[MAX_FRAME_SIZE];
 	SMD2Frame* frame = (SMD2Frame*)buffer;
 
 	file->seek(header.offsetFrames);