diff --git a/java-25-openjdk.spec b/java-25-openjdk.spec
index 9a3862e..15b6d74 100644
--- a/java-25-openjdk.spec
+++ b/java-25-openjdk.spec
@@ -353,8 +353,9 @@
 %global icedteaver      6.0.0pre00-c848b93a8598
 # Define current Git revision for the crypto policy & FIPS support patches
 %global fipsver 9203d50836c
-# Define nssadapter version
+# Define nssadapter variables
 %global nssadapter_version 0.1.0
+%global nssadapter_name nssadapter-%{nssadapter_version}
 # Define whether the crypto policy is expected to be active when testing
 %global crypto_policy_active true
 # Define JDK versions
@@ -1376,7 +1377,7 @@ Source30: 0008-Tools.gmk-Use-update-repository-on-RHEL-rather-than-.patch
 
 # FIPS support sources.
 # For libnssadapter.so (RHEL-128413)
-Source31: https://github.com/rh-openjdk/nss-native-fips-key-import-export-adapter/releases/download/%{nssadapter_version}/nssadapter-%{nssadapter_version}.tar.xz
+Source31: https://github.com/rh-openjdk/nss-native-fips-key-import-export-adapter/releases/download/%{nssadapter_version}/%{nssadapter_name}.tar.xz
 # Create OpenJDK's crypto-policies hierarchy (RHEL-128409)
 Source32: create-redhat-properties-files.bash
 
@@ -1458,6 +1459,13 @@ Source32: create-redhat-properties-files.bash
 
 # Currently empty
 
+#############################################
+#
+# NSS adapter patches
+#
+#############################################
+Patch2001: nssadapter-ldflags.patch
+
 BuildRequires: autoconf
 BuildRequires: automake
 BuildRequires: alsa-lib-devel
@@ -1938,6 +1946,11 @@ pushd %{top_level_dir_name}
 #%patch -P1001 -p1
 popd # openjdk
 
+# Patch NSS adapter
+pushd %{nssadapter_name}
+%patch -P2001 -p1
+popd # nssadapter
+
 # The OpenJDK version file includes the current
 # upstream version information. For some reason,
 # configure does not automatically use the
@@ -2008,16 +2021,16 @@ for suffix in %{build_loop} ; do
   if [ "x$suffix" = "x" ] ; then
       jdkzip=%{releasezip}
       staticlibzip=%{staticlibzip}
-      make -C nssadapter-%{nssadapter_version}
+      make -C %{nssadapter_name} CFLAGS="%{ourflags}" LDFLAGS="%{ourldflags}"
   elif [ "x$suffix" = "x%{fastdebug_suffix_unquoted}" ] ; then
       jdkzip=%{fastdebugzip}
       staticlibzip=%{fastdebugstaticlibzip}
-      make -C nssadapter-%{nssadapter_version}
+      make -C %{nssadapter_name} CFLAGS="%{ourflags}" LDFLAGS="%{ourldflags}"
   else # slowdebug
       jdkzip=%{slowdebugzip}
       staticlibzip=%{slowdebugstaticlibzip}
       # Disable _FORTIFY_SOURCE to allow for no optimization
-      make -C nssadapter-%{nssadapter_version} CFLAGS="${CFLAGS} -O0 -Wp,-U_FORTIFY_SOURCE"
+      make -C %{nssadapter_name} CFLAGS="%{ourflags} -O0 -Wp,-U_FORTIFY_SOURCE" LDFLAGS="%{ourldflags}"
   fi
 
   installdir=%{installoutputdir -- ${suffix}}
@@ -2028,8 +2041,8 @@ for suffix in %{build_loop} ; do
   mv java-%{featurever}-openjdk* ${installdir}
 
   # Install and clean libnssadapter.so
-  install -m 755 nssadapter-%{nssadapter_version}/bin/libnssadapter.so ${installdir}/lib
-  make -C nssadapter-%{nssadapter_version} clean
+  install -m 755 %{nssadapter_name}/bin/libnssadapter.so ${installdir}/lib
+  make -C %{nssadapter_name} clean
 
   # Fix build paths in ELF files so it looks like we built them
   portablenvr="%{name}-%{VERSION}-%{prelease}.%{portablesuffix}.%{_arch}"
@@ -2592,6 +2605,11 @@ exit 0
 %endif
 
 %changelog
+* Fri Nov 28 2025 Andrew Hughes <gnu.andrew@redhat.com> - 1:25.0.1.0.8-1
+- Pass ourflags and ourldflags into the nssadapter build using CFLAGS & LDFLAGS
+- Patch the nssadapter build to recognise LDFLAGS
+- Resolves: RHEL-131898
+
 * Mon Nov 24 2025 Thomas Fitzsimmons <fitzsim@redhat.com> - 1:25.0.1.0.8-1
 - Add libnssadapter.so
 - Add FIPS crypto-policies configuration
diff --git a/nssadapter-ldflags.patch b/nssadapter-ldflags.patch
new file mode 100644
index 0000000..04171b2
--- /dev/null
+++ b/nssadapter-ldflags.patch
@@ -0,0 +1,41 @@
+diff --git a/Makefile b/Makefile
+index 5175f21..571748a 100644
+--- a/Makefile
++++ b/Makefile
+@@ -13,12 +13,12 @@ DEVEL_PKGS    = nss nss-softokn
+ LIB_DIR       = $(shell pkg-config --variable=libdir nss-softokn)
+ SHARED_LIBS   = pthread softokn3 nss3
+ STATIC_LIBS   = freebl
+-SHR_CFLAGS    = -shared -fPIC -fvisibility=hidden -Wl,--exclude-libs,ALL       \
+-                $(addprefix -l,$(SHARED_LIBS))                                 \
++SHR_CFLAGS    = -shared -fPIC -fvisibility=hidden                              \
+                 $(strip $(shell pkg-config --cflags $(DEVEL_PKGS)))            \
+                 -Wpedantic -Wall -Wextra -Wconversion -Werror
+ DBG_CFLAGS    = -Wno-error=unused-variable -Wno-error=unused-parameter -DDEBUG \
+                 -O0 -g
++SHR_LDFLAGS   = -Wl,--exclude-libs,ALL $(addprefix -l,$(SHARED_LIBS))
+ 
+ # https://clang.llvm.org/docs/ClangFormatStyleOptions.html
+ CLANG_FORMAT_STYLE = {                                                         \
+@@ -53,10 +53,12 @@ endif
+ 
+ .PHONY: release ## Build the library in RELEASE mode (default)
+ release: BLD_CFLAGS = $(SHR_CFLAGS) $(CFLAGS)
++release: BLD_LDFLAGS = $(SHR_LDFLAGS) $(LDFLAGS)
+ release: $(CLEAN_IF_PREVIOUS_BUILD_MODE_IS_DEBUG) $(OUTPUT)
+ 
+ .PHONY: debug ## Build the library in DEBUG mode
+ debug: BLD_CFLAGS = $(SHR_CFLAGS) $(DBG_CFLAGS) $(CFLAGS)
++debug: BLD_LDFLAGS = $(SHR_LDFLAGS) $(LDFLAGS)
+ debug: CREATE_DBG_SENTINEL_IF_NEEDED = touch $(DBG_SENTINEL)
+ debug: $(CLEAN_IF_PREVIOUS_BUILD_MODE_IS_RELEASE) $(OUTPUT)
+ 
+@@ -73,7 +75,7 @@ $(BIN_DIR):
+ 
+ $(OUTPUT): $(BIN_DIR) $(SRC_FILES)
+ 	@$(CREATE_DBG_SENTINEL_IF_NEEDED)
+-	$(CC) $(BLD_CFLAGS) $(filter %.c, $+)                                      \
++	$(CC) $(BLD_CFLAGS) $(filter %.c, $+) $(BLD_LDFLAGS) \
+ 	      $(addprefix $(LIB_DIR)/lib,$(addsuffix .a,$(STATIC_LIBS))) -o $@
+ 
+