diff --git a/.patch/openssl-cmake/0004-use-shell-wrapper.patch b/.patch/openssl-cmake/0004-use-shell-wrapper.patch
new file mode 100644
index 0000000000..a118d86d80
--- /dev/null
+++ b/.patch/openssl-cmake/0004-use-shell-wrapper.patch
@@ -0,0 +1,17 @@
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 9ff14c8..72dd753 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -301,6 +301,12 @@ if(ANDROID)
+     )
+ endif()
+ 
++# posix_spawn can race with overlayfs in containers, use fork+execve instead.
++if(NOT WIN32)
++    string(REPLACE ";" " " _openssl_build_cmd "${OPENSSL_BUILD_COMMAND}")
++    set(OPENSSL_BUILD_COMMAND sh -c "${_openssl_build_cmd}")
++endif()
++
+ file(GLOB_RECURSE OPENSSL_SOURCES
+     ${OpenSSL_SOURCE_DIR}/*.[ch]
+     ${OpenSSL_SOURCE_DIR}/*.[ch].in
diff --git a/cpmfile.json b/cpmfile.json
index fdcf4b60d5..48201e627d 100644
--- a/cpmfile.json
+++ b/cpmfile.json
@@ -19,7 +19,8 @@
         "patches": [
             "0001-cpmutil-compat.patch",
             "0002-use-ccache.patch",
-            "0003-use-cmake-compiler-flags.patch"
+            "0003-use-cmake-compiler-flags.patch",
+            "0004-use-shell-wrapper.patch"
         ]
     },
     "openssl": {