diff --git a/003-zeroize-hasher.patch b/003-zeroize-hasher.patch
new file mode 100644
index 0000000..7db6a0e
--- /dev/null
+++ b/003-zeroize-hasher.patch
@@ -0,0 +1,58 @@
+From e6e9288ecce61101ab765bc966ba8f780915802f Mon Sep 17 00:00:00 2001
+From: Zoltan Fridrich <zfridric@redhat.com>
+Date: Wed, 1 Nov 2023 10:54:03 +0100
+Subject: [PATCH] kcapi-hasher: zeroise temporary values for FIPS 140-3
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Requirement introduced by AS05.10:
+"The temporary value(s) generated during the integrity test of the
+module’s software or firmware shall [05.10] be zeroised from the module
+upon completion of the integrity test;"
+
+As some modules use fipscheck or sha*hmac for integrity tests, these
+temporary values need to be zeroised from the hasher.
+
+Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
+Signed-off-by: Stephan Mueller <smueller@chronox.de>
+---
+ apps/kcapi-hasher.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/apps/kcapi-hasher.c b/apps/kcapi-hasher.c
+index 098b655..f5caf77 100644
+--- a/apps/kcapi-hasher.c
++++ b/apps/kcapi-hasher.c
+@@ -360,6 +360,7 @@ static int hasher(struct kcapi_handle *handle, const struct hash_params *params,
+ 		if (hashlen > (uint32_t)ret) {
+ 			fprintf(stderr, "Invalid truncated hash size: %lu > %zd\n",
+ 			        (unsigned long)hashlen, ret);
++			kcapi_memset_secure(md, 0, sizeof(md));
+ 			return (int)ret;
+ 		}
+ 
+@@ -376,6 +377,7 @@ static int hasher(struct kcapi_handle *handle, const struct hash_params *params,
+ 				ret = 1;
+ 			else
+ 				ret = 0;
++			kcapi_memset_secure(compmd, 0, sizeof(compmd));
+ 		} else {
+ 			if (outfile == NULL) { /* only print hash (hmaccalc -S) */
+ 				bin2print(md, hashlen, NULL, stdout,
+@@ -396,6 +398,7 @@ static int hasher(struct kcapi_handle *handle, const struct hash_params *params,
+ 		fprintf(stderr, "Generation of hash for file %s failed (%zd)\n",
+ 			filename ? filename : "stdin", ret);
+ 	}
++	kcapi_memset_secure(md, 0, sizeof(md));
+ 	return (int)ret;
+ }
+ 
+@@ -696,6 +699,7 @@ static int process_checkfile(const struct hash_params *params,
+ 	if (file)
+ 		fclose(file);
+ 	kcapi_md_destroy(handle);
++	kcapi_memset_secure(buf, 0, sizeof(buf));
+ 
+ 	/*
+ 	 * If we found no lines to check, return an error.
diff --git a/libkcapi.spec b/libkcapi.spec
index e02f548..1b8578a 100644
--- a/libkcapi.spec
+++ b/libkcapi.spec
@@ -136,6 +136,7 @@ Source3:        fipshmac-openssl.sh
 
 Patch1:         001-tests-kernel-version.patch
 Patch2:         002-fips-disable-ansi_cprng.patch
+Patch3:         003-zeroize-hasher.patch
 
 BuildRequires:  bash
 BuildRequires:  coreutils
@@ -519,6 +520,8 @@ popd
   Resolves: RHEL-5366
 - Add a patch to fix auxiliary tests in FIPS mode
   Resolves: RHEL-2406
+- Add a patch to zeroize kcapi-hasher for FIPS 140-3
+  Resolves: RHEL-15290
 
 * Tue May 26 2020 Sahana Prasad <sahana@redhat.com> - 1.2.0-2
 - Fix double free issue in hasher()