diff --git a/pkgs/os-specific/linux/procps-ng/default.nix b/pkgs/os-specific/linux/procps-ng/default.nix
index 67b839a1bd36..56a92ffa44ef 100644
--- a/pkgs/os-specific/linux/procps-ng/default.nix
+++ b/pkgs/os-specific/linux/procps-ng/default.nix
@@ -27,7 +27,9 @@ stdenv.mkDerivation rec {
     sha256 = "sha256-RRiz56r9NOwH0AY9JQ/UdJmbILIAIYw65W9dIRPxQbQ=";
   };
 
-  patches = lib.optionals stdenv.hostPlatform.isMusl [
+  patches = [
+    ./v3-CVE-2023-4016.patch
+  ] ++ lib.optionals stdenv.hostPlatform.isMusl [
     # NOTE: Starting from 4.x we will not need a patch anymore, but need to add
     # "--disable-w" to configureFlags instead to prevent the utmp errors
     (fetchpatch {
diff --git a/pkgs/os-specific/linux/procps-ng/v3-CVE-2023-4016.patch b/pkgs/os-specific/linux/procps-ng/v3-CVE-2023-4016.patch
new file mode 100644
index 000000000000..2e260eaf7382
--- /dev/null
+++ b/pkgs/os-specific/linux/procps-ng/v3-CVE-2023-4016.patch
@@ -0,0 +1,63 @@
+This is https://gitlab.com/procps-ng/procps/-/commit/2c933ecba3bb1d3041a5a7a53a7b4078a6003413.diff
+back-ported to procps 3.3.17.  That commit changes xmalloc to xcalloc.  This patch differs in two ways:
+
+* We modify it to change malloc (no x-) to xcalloc instead
+* We pull in procps-4's definition of xcalloc
+
+Alternative considered: Also pull in commits that changed malloc to xmalloc and defined xcalloc.
+This alternative is rejected because those commits contain many other unrelated changes.
+
+diff --git a/ps/parser.c b/ps/parser.c
+index 4263a1fb..ee9a57d9 100644
+--- a/ps/parser.c
++++ b/ps/parser.c
+@@ -36,6 +36,14 @@
+ #include "common.h"
+ #include "c.h"
+ 
++static void *xxcalloc(const size_t nelems, const size_t size)
++{
++  void *ret = calloc(nelems, size);
++  if (!ret && size && nelems)
++    xerrx(EXIT_FAILURE, "cannot allocate %zu bytes", nelems*size);
++  return ret;
++}
++
+ #define ARG_GNU  0
+ #define ARG_END  1
+ #define ARG_PGRP 2
+@@ -184,7 +192,6 @@ static const char *parse_list(const char *arg, const char *(*parse_fn)(char *, s
+   const char *err;       /* error code that could or did happen */
+   /*** prepare to operate ***/
+   node = malloc(sizeof(selection_node));
+-  node->u = malloc(strlen(arg)*sizeof(sel_union)); /* waste is insignificant */
+   node->n = 0;
+   buf = strdup(arg);
+   /*** sanity check and count items ***/
+@@ -205,6 +212,7 @@ static const char *parse_list(const char *arg, const char *(*parse_fn)(char *, s
+   } while (*++walk);
+   if(need_item) goto parse_error;
+   node->n = items;
++  node->u = xxcalloc(items, sizeof(sel_union));
+   /*** actually parse the list ***/
+   walk = buf;
+   while(items--){
+@@ -1031,15 +1039,15 @@ static const char *parse_trailing_pids(void){
+   thisarg = ps_argc - 1;   /* we must be at the end now */
+ 
+   pidnode = malloc(sizeof(selection_node));
+-  pidnode->u = malloc(i*sizeof(sel_union)); /* waste is insignificant */
++  pidnode->u = xxcalloc(i, sizeof(sel_union)); /* waste is insignificant */
+   pidnode->n = 0;
+ 
+   grpnode = malloc(sizeof(selection_node));
+-  grpnode->u = malloc(i*sizeof(sel_union)); /* waste is insignificant */
++  grpnode->u = xxcalloc(i, sizeof(sel_union)); /* waste is insignificant */
+   grpnode->n = 0;
+ 
+   sidnode = malloc(sizeof(selection_node));
+-  sidnode->u = malloc(i*sizeof(sel_union)); /* waste is insignificant */
++  sidnode->u = xxcalloc(i, sizeof(sel_union)); /* waste is insignificant */
+   sidnode->n = 0;
+ 
+   while(i--){