diff --git a/edk2.spec b/edk2.spec
index 605e836..39b478a 100644
--- a/edk2.spec
+++ b/edk2.spec
@@ -7,7 +7,7 @@ ExclusiveArch: x86_64 aarch64
 
 Name:       edk2
 Version:    %{GITDATE}git%{GITCOMMIT}
-Release:    13%{?dist}.8
+Release:    13%{?dist}.9
 Summary:    UEFI firmware for 64-bit virtual machines
 Group:      Applications/Emulators
 License:    BSD-2-Clause-Patent and OpenSSL and MIT
@@ -19,7 +19,7 @@ URL:        http://www.tianocore.org
 # | xz -9ev >/tmp/edk2-$COMMIT.tar.xz
 Source0: http://batcave.lab.eng.brq.redhat.com/www/edk2-%{GITCOMMIT}.tar.xz
 Source1: ovmf-whitepaper-c770f8c.txt
-Source2: openssl-rhel-cf317b2bb227899cb2e761b9163210f62cab1b1e.tar.xz
+Source2: openssl-rhel-ad510221a6db362d7ed8725b2c92c91f643bc505.tar.xz
 Source3: ovmf-vars-generator
 Source4: LICENSE.qosb
 Source5: RedHatSecureBootPkKek1.pem
@@ -530,6 +530,13 @@ cp -a -- %{SOURCE1} %{SOURCE3} .
 cp -a -- %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} .
 tar -C CryptoPkg/Library/OpensslLib -a -f %{SOURCE2} -x
 
+# Fix missing include for CVE-2022-4304 implicit rejection patch (RHEL-115901)
+# Bug introduced in openssl by
+# commit 09a086d240f7d ("Backport implicit rejection mechanism for RSA PKCS#1 v1.5 to RHEL-8 series")
+# The response to https://issues.redhat.com/browse/RHEL-142313 indicates that
+# we should use this work-around. 
+sed -i '/#include <openssl\/x509.h>/a #include <openssl/rsa.h>' CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c
+
 # Format the Red Hat-issued certificate that is to be enrolled as both Platform
 # Key and first Key Exchange Key, as an SMBIOS OEM String. This means stripping
 # the PEM header and footer, and prepending the textual representation of the
@@ -842,6 +849,12 @@ true
 %endif
 
 %changelog
+* Tue Jan 27 2026 Jon Maloy <jmaloy@redhat.com> - 20220126gitbb1bba3d77-13.el8.9
+- edk2-openssl-flatten-contents-of-openssl-tarball.patch [RHEL-115901]
+- edk2-Bumped-openssl-submodule-to-rhel-8-main.patch [RHEL-115901]
+- Resolves: RHEL-115901
+  (CVE-2025-9230 edk2: Out-of-bounds read & write in RFC 3211 KEK Unwrap [rhel-8.10.z])
+
 * Mon Jan 06 2025 Jon Maloy <jmaloy@redhat.com> - 20220126gitbb1bba3d77-13.el8.8
 - edk2-ArmVirtPkg-Add-Hash2DxeCrypto-to-ArmVirtPkg.patch [RHEL-71687]
 - Resolves: RHEL-71687
diff --git a/sources b/sources
index ca406fc..654eeb2 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
 SHA512 (edk2-bb1bba3d77.tar.xz) = 3e0deb750d3443f4a2c15a066842e35a05a6dc65ce1869c229a8328d3dba8375949ee3825e16c7fe01bd77516a6717ccbdda1d674a2a862453e5480094c49c4c
-SHA512 (openssl-rhel-cf317b2bb227899cb2e761b9163210f62cab1b1e.tar.xz) = a8b89b7b515f8498ed344b2ec85f04a45ebe3d439c5d6a01c50557e3e72a26c9144dfefa805d581ca3c72ed0715f0e8c865785a84a5f3b0026ce6a09cfd27482
+SHA512 (openssl-rhel-ad510221a6db362d7ed8725b2c92c91f643bc505.tar.xz) = eefae2e7089a0782d99e21660bc874059edf7161200463d210c479862bccc02ee07a8c8c73a576a35365b953e12230a42e4b26bd62ee96284c2008088298415e