diff --git a/gnu/packages/flex.scm b/gnu/packages/flex.scm
index 2d31660f3e..1470b967da 100644
--- a/gnu/packages/flex.scm
+++ b/gnu/packages/flex.scm
@@ -85,3 +85,20 @@ (define-public flex
 executes the corresponding C code.")
     (license (non-copyleft "file://COPYING"
                            "See COPYING in the distribution."))))
+
+;;; Many packages fail to build with flex > 2.6.1, due to this bug in flex:
+;;; <https://github.com/westes/flex/issues/162>
+;;; We must not use a flex before 2.6.1, due to CVE-2016-6354.
+;;; TODO Try using flex > 2.6.3.
+(define-public flex-2.6.1
+  (package
+    (inherit flex)
+    (version "2.6.1")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "https://github.com/westes/flex"
+                                  "/releases/download/v" version "/"
+                                  "flex-" version ".tar.xz"))
+             (sha256
+              (base32
+               "0gqhk4vkwy4gl9xbpgkljph8c0a5kpijz6wd0p5r9q202qn42yic"))))))