diff --git a/0371-Add-__stack_chk_fail-function-for-non-EFI-archs.patch b/0371-Add-__stack_chk_fail-function-for-non-EFI-archs.patch
new file mode 100644
index 0000000..7ec134e
--- /dev/null
+++ b/0371-Add-__stack_chk_fail-function-for-non-EFI-archs.patch
@@ -0,0 +1,65 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Leo Sandoval <lsandova@redhat.com>
+Date: Fri, 1 Aug 2025 11:56:53 -0600
+Subject: [PATCH] Add __stack_chk_fail function for non-EFI archs
+
+This function allows to include '-fstack-protector-strong' compiler
+flag for non-EFI archs. Also fixes a configure.ac condition where only
+disables stack protection when stack protector is not possible.
+
+Signed-off-by: Leo Sandoval <lsandova@redhat.com>
+---
+ configure.ac          | 4 +---
+ grub-core/kern/main.c | 8 ++++++++
+ include/grub/misc.h   | 4 ++++
+ 3 files changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index a6a6957fbd..a803d21a3e 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1466,9 +1466,7 @@ AC_ARG_ENABLE([stack-protector],
+ 	      [],
+ 	      [enable_stack_protector=no])
+ if test "x$enable_stack_protector" = xno; then
+-  if test "x$ssp_possible" = xyes; then
+-    # Need that, because some distributions ship compilers that include
+-    # `-fstack-protector' in the default specs.
++  if test "x$ssp_possible" != xyes; then
+     TARGET_CFLAGS="$TARGET_CFLAGS -fno-stack-protector"
+   fi
+ elif test "x$platform" != xefi; then
+diff --git a/grub-core/kern/main.c b/grub-core/kern/main.c
+index 2e6b79ee3d..aeafbbff9c 100644
+--- a/grub-core/kern/main.c
++++ b/grub-core/kern/main.c
+@@ -39,6 +39,14 @@
+ static bool cli_disabled = false;
+ static bool cli_need_auth = false;
+ 
++#ifndef GRUB_MACHINE_EFI
++void __attribute__ ((noreturn))
++__stack_chk_fail (void)
++{
++  grub_abort();
++}
++#endif
++
+ grub_addr_t
+ grub_modules_get_end (void)
+ {
+diff --git a/include/grub/misc.h b/include/grub/misc.h
+index 0429339ef3..751eb992ca 100644
+--- a/include/grub/misc.h
++++ b/include/grub/misc.h
+@@ -446,6 +446,10 @@ extern bool EXPORT_FUNC(grub_is_cli_disabled) (void);
+ extern bool EXPORT_FUNC(grub_is_cli_need_auth) (void);
+ extern void EXPORT_FUNC(grub_cli_set_auth_needed) (void);
+ 
++#ifndef GRUB_MACHINE_EFI
++extern void __attribute__ ((noreturn)) EXPORT_FUNC (__stack_chk_fail) (void);
++#endif
++
+ /* Must match softdiv group in gentpl.py.  */
+ #if !defined(GRUB_MACHINE_EMU) && (defined(__arm__) || defined(__ia64__) || \
+     (defined(__riscv) && (__riscv_xlen == 32)))
diff --git a/grub.macros b/grub.macros
index ed740de..5a1865b 100644
--- a/grub.macros
+++ b/grub.macros
@@ -25,9 +25,7 @@
 %global cflags_sed						\\\
 	sed							\\\
 		-e 's/-O. //g'					\\\
-		-e 's/-fplugin=annobin//g'			\\\
-		-e 's,-specs=[[:alnum:]/_-]*annobin[[:alnum:]_-]*,,g' \\\
-		-e 's/-fstack-protector[[:alpha:]-]\\+//g'	\\\
+		-e 's/-fno-stack-protector//g'			\\\
 		-e 's/-[^ ]*D_FORTIFY_SOURCE=[[:digit:]][^ ]*\\+//g'	\\\
 		-e 's/--param=ssp-buffer-size=4//g'		\\\
 		-e 's/-mregparm=3/-mregparm=4/g'		\\\
@@ -37,7 +35,7 @@
 		-e 's/^/ -fno-strict-aliasing /'		\\\
 		%{nil}
 
-%global host_cflags_ %{expand:%%(echo %{build_cflags} %{?_hardening_cflags} | %{cflags_sed})} -fstack-protector-strong
+%global host_cflags_ %{expand:%%(echo %{build_cflags} %{?_hardening_cflags} -fstack-protector-strong | %{cflags_sed})}
 %ifarch %{x86_64}
 %global host_cflags %{host_cflags_} -fcf-protection
 %else
@@ -51,7 +49,7 @@
 	)}
 %global efi_host_cflags %{expand:%%(echo %{host_cflags})}
 
-%global target_cflags %{expand:%%(echo %{build_cflags} | %{cflags_sed})}
+%global target_cflags %{expand:%%(echo %{build_cflags} -fstack-protector-strong | %{cflags_sed})}
 %global legacy_target_cflags					\\\
 	%{expand:%%(echo %{target_cflags} | 			\\\
 	%{cflags_sed}						\\\
@@ -373,6 +371,7 @@ rm -r build-aux m4						\
 	--target=%{1}						\\\
 	--with-grubdir=grub2					\\\
 	--program-transform-name=s,grub,grub2,		\\\
+	--enable-stack-protector=strong			\\\
 	--disable-werror || ( cat config.log ; exit 1 )		\
 git add .							\
 git commit -m "After efi configure"				\
diff --git a/grub.patches b/grub.patches
index 1c3c893..19618d8 100644
--- a/grub.patches
+++ b/grub.patches
@@ -367,3 +367,4 @@ Patch0367: 0367-Use-medany-instead-of-large-model-for-RISCV.patch
 Patch0368: 0368-10_linux.in-escape-kernel-option-characters-properly.patch
 Patch0369: 0369-blscfg-check-if-variable-is-escaped-before-consideri.patch
 Patch0370: 0370-Set-correctly-the-memory-attributes-for-the-kernel-P.patch
+Patch0371: 0371-Add-__stack_chk_fail-function-for-non-EFI-archs.patch
diff --git a/grub2.spec b/grub2.spec
index b5d6d11..e40ce76 100644
--- a/grub2.spec
+++ b/grub2.spec
@@ -17,7 +17,7 @@
 Name:		grub2
 Epoch:		1
 Version:	2.12
-Release:	25%{?dist}.alma.1
+Release:	26%{?dist}.alma.1
 Summary:	Bootloader with support for Linux, Multiboot and more
 License:	GPL-3.0-or-later
 URL:		http://www.gnu.org/software/grub/
@@ -565,10 +565,14 @@ fi
 %endif
 
 %changelog
-* Sat Aug 02 2025 Eduard Abdullin <eabdullin@almalinux.org> - 1:2.12-25.alma.1
+* Fri Aug 08 2025 Eduard Abdullin <eabdullin@almalinux.org> - 1:2.12-26.alma.1
 - Debrand for AlmaLinux
 - Build btrfs module
 
+* Thu Jul 31 2025 Leo Sandoval <lsandova@redhat.com> 2.12-26
+- Enable strong stack protector on EFI configurations
+- Resolves: #RHEL-89464
+
 * Thu Jul 31 2025 Leo Sandoval <lsandova@redhat.com> 2.12-25
 - 20-grub.install: Skip BLS removal when entry type is type2
 - Resolves: #RHEL-104167