diff --git a/ChangeLog b/ChangeLog
index 849d0938e0..81f7dbe445 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+Thu Feb 25 17:48:16 2016  Eric Wong  <e@80x24.org>
+
+	* ext/socket/init.c (rsock_init_sock): reject reserved FDs
+	  [ruby-core:72445] [Bug #11862]
+
 Thu Feb 25 17:38:59 2016  Eric Wong  <e@80x24.org>
 
 	* ext/socket/init.c (rsock_init_sock): check FD after validating
diff --git a/ext/socket/init.c b/ext/socket/init.c
index ada81c5306..8333da1ab5 100644
--- a/ext/socket/init.c
+++ b/ext/socket/init.c
@@ -48,12 +48,12 @@ rsock_init_sock(VALUE sock, int fd)
 
     if (fstat(fd, &sbuf) < 0)
         rb_sys_fail("fstat(2)");
-    if (!S_ISSOCK(sbuf.st_mode)) {
+    if (!S_ISSOCK(sbuf.st_mode) || rb_reserved_fd_p(fd)) {
 	errno = EBADF;
         rb_sys_fail("not a socket file descriptor");
     }
 #else
-    if (!rb_w32_is_socket(fd)) {
+    if (!rb_w32_is_socket(fd) || rb_reserved_fd_p(fd)) {
 	errno = EBADF;
         rb_sys_fail("not a socket file descriptor");
     }
diff --git a/version.h b/version.h
index a72a559f49..f01a239506 100644
--- a/version.h
+++ b/version.h
@@ -1,6 +1,6 @@
 #define RUBY_VERSION "2.1.9"
 #define RUBY_RELEASE_DATE "2016-02-25"
-#define RUBY_PATCHLEVEL 445
+#define RUBY_PATCHLEVEL 446
 
 #define RUBY_RELEASE_YEAR 2016
 #define RUBY_RELEASE_MONTH 2