diff --git a/0005-libsepol-cil-Check-that-sym_index-is-within-bounds.patch b/0005-libsepol-cil-Check-that-sym_index-is-within-bounds.patch
new file mode 100644
index 0000000..eff7939
--- /dev/null
+++ b/0005-libsepol-cil-Check-that-sym_index-is-within-bounds.patch
@@ -0,0 +1,41 @@
+From efa129d27364d7c727dd0cdf017f16e00c6d5fe0 Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Tue, 23 Jul 2024 16:41:57 +0200
+Subject: [PATCH] libsepol/cil: Check that sym_index is within bounds
+Content-type: text/plain
+
+Make sure sym_index is within the bounds of symtab array before using it
+to index the array.
+
+Fixes:
+  Error: OVERRUN (CWE-119):
+  libsepol-3.6/cil/src/cil_resolve_ast.c:3157: assignment: Assigning: "sym_index" = "CIL_SYM_UNKNOWN".
+  libsepol-3.6/cil/src/cil_resolve_ast.c:3189: overrun-call: Overrunning callee's array of size 19 by passing argument "sym_index" (which evaluates to 20) in call to "cil_resolve_name".
+  \# 3187|                   switch (curr->flavor) {
+  \# 3188|                   case CIL_STRING:
+  \# 3189|->                         rc = cil_resolve_name(parent, curr->data, sym_index, db, &res_datum);
+  \# 3190|                           if (rc != SEPOL_OK) {
+  \# 3191|                                   goto exit;
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ libsepol/cil/src/cil_resolve_ast.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
+index 427a320c976d..da8863c4c29f 100644
+--- a/libsepol/cil/src/cil_resolve_ast.c
++++ b/libsepol/cil/src/cil_resolve_ast.c
+@@ -4291,7 +4291,7 @@ int cil_resolve_name_keep_aliases(struct cil_tree_node *ast_node, char *name, en
+ 	int rc = SEPOL_ERR;
+ 	struct cil_tree_node *node = NULL;
+ 
+-	if (name == NULL) {
++	if (name == NULL || sym_index >= CIL_SYM_NUM) {
+ 		cil_log(CIL_ERR, "Invalid call to cil_resolve_name\n");
+ 		goto exit;
+ 	}
+-- 
+2.49.0
+
diff --git a/0006-libsepol-cil-Initialize-avtab_datum-on-declaration.patch b/0006-libsepol-cil-Initialize-avtab_datum-on-declaration.patch
new file mode 100644
index 0000000..45655ef
--- /dev/null
+++ b/0006-libsepol-cil-Initialize-avtab_datum-on-declaration.patch
@@ -0,0 +1,82 @@
+From c7cb424472faea08e79506d0f73a579275683bda Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Wed, 23 Oct 2024 15:43:15 +0200
+Subject: [PATCH] libsepol/cil: Initialize avtab_datum on declaration
+Content-type: text/plain
+
+avtab_datum.xperms was not always initialized before being used.
+
+Fixes:
+Error: UNINIT (CWE-457):
+libsepol-3.7/cil/src/cil_binary.c:977:2: var_decl: Declaring variable "avtab_datum" without initializer.
+libsepol-3.7/cil/src/cil_binary.c:1059:3: uninit_use_in_call: Using uninitialized value "avtab_datum". Field "avtab_datum.xperms" is uninitialized when calling "__cil_cond_insert_rule".
+ \# 1057|   			}
+ \# 1058|   		}
+ \# 1059|-> 		rc = __cil_cond_insert_rule(&pdb->te_cond_avtab, &avtab_key, &avtab_datum, cond_node, cond_flavor);
+ \# 1060|   	}
+
+Error: UNINIT (CWE-457):
+libsepol-3.7/cil/src/cil_binary.c:1348:2: var_decl: Declaring variable "avtab_datum" without initializer.
+libsepol-3.7/cil/src/cil_binary.c:1384:3: uninit_use_in_call: Using uninitialized value "avtab_datum". Field "avtab_datum.xperms" is uninitialized when calling "__cil_cond_insert_rule".
+ \# 1382|   	} else {
+ \# 1383|   		avtab_datum.data = data;
+ \# 1384|-> 		rc = __cil_cond_insert_rule(&pdb->te_cond_avtab, &avtab_key, &avtab_datum, cond_node, cond_flavor);
+ \# 1385|   	}
+ \# 1386|
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ libsepol/cil/src/cil_binary.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
+index a8e3616a32d0..7a00c8d55f96 100644
+--- a/libsepol/cil/src/cil_binary.c
++++ b/libsepol/cil/src/cil_binary.c
+@@ -974,7 +974,7 @@ static int __cil_insert_type_rule(policydb_t *pdb, uint32_t kind, uint32_t src,
+ {
+ 	int rc = SEPOL_OK;
+ 	avtab_key_t avtab_key;
+-	avtab_datum_t avtab_datum;
++	avtab_datum_t avtab_datum = { .data = res, .xperms = NULL };
+ 	avtab_ptr_t existing;	
+ 
+ 	avtab_key.source_type = src;
+@@ -996,8 +996,6 @@ static int __cil_insert_type_rule(policydb_t *pdb, uint32_t kind, uint32_t src,
+ 		goto exit;
+ 	}
+ 
+-	avtab_datum.data = res;
+-	
+ 	existing = avtab_search_node(&pdb->te_avtab, &avtab_key);
+ 	if (existing) {
+ 		/* Don't add duplicate type rule and warn if they conflict.
+@@ -1345,7 +1343,7 @@ static int __cil_insert_avrule(policydb_t *pdb, uint32_t kind, uint32_t src, uin
+ {
+ 	int rc = SEPOL_OK;
+ 	avtab_key_t avtab_key;
+-	avtab_datum_t avtab_datum;
++	avtab_datum_t avtab_datum = { .data = data, .xperms = NULL };
+ 	avtab_datum_t *avtab_dup = NULL;
+ 
+ 	avtab_key.source_type = src;
+@@ -1371,7 +1369,6 @@ static int __cil_insert_avrule(policydb_t *pdb, uint32_t kind, uint32_t src, uin
+ 	if (!cond_node) {
+ 		avtab_dup = avtab_search(&pdb->te_avtab, &avtab_key);
+ 		if (!avtab_dup) {
+-			avtab_datum.data = data;
+ 			rc = avtab_insert(&pdb->te_avtab, &avtab_key, &avtab_datum);
+ 		} else {
+ 			if (kind == CIL_AVRULE_DONTAUDIT)
+@@ -1380,7 +1377,6 @@ static int __cil_insert_avrule(policydb_t *pdb, uint32_t kind, uint32_t src, uin
+ 				avtab_dup->data |= data;
+ 		}
+ 	} else {
+-		avtab_datum.data = data;
+ 		rc = __cil_cond_insert_rule(&pdb->te_cond_avtab, &avtab_key, &avtab_datum, cond_node, cond_flavor);
+ 	}
+ 
+-- 
+2.49.0
+
diff --git a/0007-libsepol-mls-Do-not-destroy-context-on-memory-error.patch b/0007-libsepol-mls-Do-not-destroy-context-on-memory-error.patch
new file mode 100644
index 0000000..89bc0ce
--- /dev/null
+++ b/0007-libsepol-mls-Do-not-destroy-context-on-memory-error.patch
@@ -0,0 +1,75 @@
+From 31652b2297249539c6637939f3154f5cac8c867b Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Wed, 23 Oct 2024 15:43:16 +0200
+Subject: [PATCH] libsepol/mls: Do not destroy context on memory error
+Content-type: text/plain
+
+In case of malloc error, ctx1, or ctx2 may be pointing to uninitialized
+space and context_destroy should not be used on it.
+
+Fixes:
+Error: UNINIT (CWE-457):
+libsepol-3.7/src/mls.c:673:2: alloc_fn: Calling "malloc" which returns uninitialized memory.
+libsepol-3.7/src/mls.c:673:2: assign: Assigning: "ctx1" = "malloc(64UL)", which points to uninitialized data.
+libsepol-3.7/src/mls.c:699:2: uninit_use_in_call: Using uninitialized value "ctx1->range.level[0].cat.node" when calling "context_destroy".
+ \#  697|   	ERR(handle, "could not check if mls context %s contains %s",
+ \#  698|   	    mls1, mls2);
+ \#  699|-> 	context_destroy(ctx1);
+ \#  700|   	context_destroy(ctx2);
+ \#  701|   	free(ctx1);
+
+Error: UNINIT (CWE-457):
+libsepol-3.7/src/mls.c:674:2: alloc_fn: Calling "malloc" which returns uninitialized memory.
+libsepol-3.7/src/mls.c:674:2: assign: Assigning: "ctx2" = "malloc(64UL)", which points to uninitialized data.
+libsepol-3.7/src/mls.c:700:2: uninit_use_in_call: Using uninitialized value "ctx2->range.level[0].cat.node" when calling "context_destroy".
+ \#  698|   	    mls1, mls2);
+ \#  699|   	context_destroy(ctx1);
+ \#  700|-> 	context_destroy(ctx2);
+ \#  701|   	free(ctx1);
+ \#  702|   	free(ctx2);
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ libsepol/src/mls.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/libsepol/src/mls.c b/libsepol/src/mls.c
+index 45db89207704..a37405d190a5 100644
+--- a/libsepol/src/mls.c
++++ b/libsepol/src/mls.c
+@@ -672,8 +672,10 @@ int sepol_mls_contains(sepol_handle_t * handle,
+ 	context_struct_t *ctx1 = NULL, *ctx2 = NULL;
+ 	ctx1 = malloc(sizeof(context_struct_t));
+ 	ctx2 = malloc(sizeof(context_struct_t));
+-	if (ctx1 == NULL || ctx2 == NULL)
++	if (ctx1 == NULL || ctx2 == NULL){
++		ERR(handle, "out of memory");
+ 		goto omem;
++	}
+ 	context_init(ctx1);
+ 	context_init(ctx2);
+ 
+@@ -690,16 +692,14 @@ int sepol_mls_contains(sepol_handle_t * handle,
+ 	free(ctx2);
+ 	return STATUS_SUCCESS;
+ 
+-      omem:
+-	ERR(handle, "out of memory");
+-
+       err:
+-	ERR(handle, "could not check if mls context %s contains %s",
+-	    mls1, mls2);
+ 	context_destroy(ctx1);
+ 	context_destroy(ctx2);
++      omem:
+ 	free(ctx1);
+ 	free(ctx2);
++	ERR(handle, "could not check if mls context %s contains %s",
++	    mls1, mls2);
+ 	return STATUS_ERR;
+ }
+ 
+-- 
+2.49.0
+
diff --git a/0008-libsepol-cil-cil_post-Initialize-tmp-on-declaration.patch b/0008-libsepol-cil-cil_post-Initialize-tmp-on-declaration.patch
new file mode 100644
index 0000000..b7b9897
--- /dev/null
+++ b/0008-libsepol-cil-cil_post-Initialize-tmp-on-declaration.patch
@@ -0,0 +1,41 @@
+From b394cd4a814ea83aaefb87e9fefb93ddd06df07f Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Wed, 23 Oct 2024 15:43:17 +0200
+Subject: [PATCH] libsepol/cil/cil_post: Initialize tmp on declaration
+Content-type: text/plain
+
+tmp.node was not always initialized before being used by
+ebitmap_destroy.
+
+Fixes:
+Error: UNINIT (CWE-457):
+libsepol-3.7/cil/src/cil_post.c:1309:2: var_decl: Declaring variable "tmp" without initializer.
+libsepol-3.7/cil/src/cil_post.c:1382:6: uninit_use_in_call: Using uninitialized value "tmp.node" when calling "ebitmap_destroy".
+ \# 1380|   				if (rc != SEPOL_OK) {
+ \# 1381|   					cil_log(CIL_INFO, "Failed to apply operator to bitmaps\n");
+ \# 1382|-> 					ebitmap_destroy(&tmp);
+ \# 1383|   					goto exit;
+ \# 1384|   				}
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ libsepol/cil/src/cil_post.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/libsepol/cil/src/cil_post.c b/libsepol/cil/src/cil_post.c
+index 7f45299a3355..6497f1524488 100644
+--- a/libsepol/cil/src/cil_post.c
++++ b/libsepol/cil/src/cil_post.c
+@@ -1313,6 +1313,8 @@ static int __cil_expr_to_bitmap(struct cil_list *expr, ebitmap_t *out, int max,
+ 	curr = expr->head;
+ 	flavor = expr->flavor;
+ 
++	ebitmap_init(&tmp);
++
+ 	if (curr->flavor == CIL_OP) {
+ 		enum cil_flavor op = (enum cil_flavor)(uintptr_t)curr->data;
+ 
+-- 
+2.49.0
+
diff --git a/0009-libsepol-Initialize-strs-on-declaration.patch b/0009-libsepol-Initialize-strs-on-declaration.patch
new file mode 100644
index 0000000..521c32c
--- /dev/null
+++ b/0009-libsepol-Initialize-strs-on-declaration.patch
@@ -0,0 +1,64 @@
+From 3b9a52e387cf8951135d54c14863724b898082ee Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Wed, 23 Oct 2024 15:43:18 +0200
+Subject: [PATCH] libsepol: Initialize "strs" on declaration
+Content-type: text/plain
+
+The value of "strs" was not always initialized before being used by
+strs_destroy.
+
+Fixes:
+Error: UNINIT (CWE-457):
+libsepol-3.7/src/kernel_to_cil.c:1439:2: var_decl: Declaring variable "strs" without initializer.
+libsepol-3.7/src/kernel_to_cil.c:1487:2: uninit_use_in_call: Using uninitialized value "strs" when calling "strs_destroy".
+ \# 1485|
+ \# 1486|   exit:
+ \# 1487|-> 	strs_destroy(&strs);
+ \# 1488|
+ \# 1489|   	if (rc != 0) {
+
+Error: UNINIT (CWE-457):
+libsepol-3.7/src/kernel_to_conf.c:1422:2: var_decl: Declaring variable "strs" without initializer.
+libsepol-3.7/src/kernel_to_conf.c:1461:2: uninit_use_in_call: Using uninitialized value "strs" when calling "strs_destroy".
+ \# 1459|
+ \# 1460|   exit:
+ \# 1461|-> 	strs_destroy(&strs);
+ \# 1462|
+ \# 1463|   	if (rc != 0) {
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ libsepol/src/kernel_to_cil.c  | 2 +-
+ libsepol/src/kernel_to_conf.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
+index 119b657bb009..216b534a745d 100644
+--- a/libsepol/src/kernel_to_cil.c
++++ b/libsepol/src/kernel_to_cil.c
+@@ -1424,7 +1424,7 @@ static int map_type_aliases_to_strs(char *key, void *data, void *args)
+ static int write_type_alias_rules_to_cil(FILE *out, struct policydb *pdb)
+ {
+ 	type_datum_t *alias;
+-	struct strs *strs;
++	struct strs *strs = NULL;
+ 	char *name;
+ 	char *type;
+ 	unsigned i, num = 0;
+diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c
+index 83f46e0fd948..6900700aa39a 100644
+--- a/libsepol/src/kernel_to_conf.c
++++ b/libsepol/src/kernel_to_conf.c
+@@ -1407,7 +1407,7 @@ static int map_type_aliases_to_strs(char *key, void *data, void *args)
+ static int write_type_alias_rules_to_conf(FILE *out, struct policydb *pdb)
+ {
+ 	type_datum_t *alias;
+-	struct strs *strs;
++	struct strs *strs = NULL;
+ 	char *name;
+ 	char *type;
+ 	unsigned i, num = 0;
+-- 
+2.49.0
+
diff --git a/libsepol.spec b/libsepol.spec
index eeab396..4870092 100644
--- a/libsepol.spec
+++ b/libsepol.spec
@@ -1,7 +1,7 @@
 Summary: SELinux binary policy manipulation library
 Name: libsepol
 Version: 3.6
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: LGPLv2+
 Source0: https://github.com/SELinuxProject/selinux/releases/download/3.6/libsepol-3.6.tar.gz
 URL: https://github.com/SELinuxProject/selinux/wiki
@@ -14,6 +14,11 @@ Patch0001: 0001-libsepol-Bring-back-POLICYDB_CAPABILITY_-constants.patch
 Patch0002: 0002-Revert-Do-not-automatically-install-Russian-translat.patch
 Patch0003: 0003-Revert-libsepol-Remove-the-Russian-translations.patch
 Patch0004: 0004-libsepol-sepol_compute_sid-Do-not-destroy-uninitiali.patch
+Patch0005: 0005-libsepol-cil-Check-that-sym_index-is-within-bounds.patch
+Patch0006: 0006-libsepol-cil-Initialize-avtab_datum-on-declaration.patch
+Patch0007: 0007-libsepol-mls-Do-not-destroy-context-on-memory-error.patch
+Patch0008: 0008-libsepol-cil-cil_post-Initialize-tmp-on-declaration.patch
+Patch0009: 0009-libsepol-Initialize-strs-on-declaration.patch
 # Patch list end
 BuildRequires: make
 BuildRequires: gcc
@@ -110,6 +115,9 @@ rm -rf ${RPM_BUILD_ROOT}%{_mandir}/ru/man8
 %{_mandir}/man8/chkcon.8.gz
 
 %changelog
+* Mon Mar 24 2025 Petr Lautrbach <lautrbach@redhat.com> - 3.6-3
+- Fix static analyzer issues (RHEL-28966)
+
 * Fri Jan 10 2025 Petr Lautrbach <lautrbach@redhat.com> - 3.6-2
 - sepol_compute_sid: Do not destroy uninitialized context (RHEL-28964)