diff --git a/libssh-0.11.1-CVE-2025-5318.patch b/libssh-0.11.1-CVE-2025-5318.patch
new file mode 100644
index 0000000..59e2525
--- /dev/null
+++ b/libssh-0.11.1-CVE-2025-5318.patch
@@ -0,0 +1,27 @@
+From b47ccd17559f79bfb2d6b94d2bf84856cf06259e Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Tue, 22 Apr 2025 21:18:44 +0200
+Subject: [PATCH] CVE-2025-5318: sftpserver: Fix possible buffer overrun
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
+---
+ src/sftpserver.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/sftpserver.c b/src/sftpserver.c
+index 1afd8b2f..2aa28baa 100644
+--- a/src/sftpserver.c
++++ b/src/sftpserver.c
+@@ -704,7 +704,7 @@ void *sftp_handle(sftp_session sftp, ssh_string handle)
+ 
+     memcpy(&val, ssh_string_data(handle), sizeof(uint32_t));
+ 
+-    if (val > SFTP_HANDLES) {
++    if (val >= SFTP_HANDLES) {
+         return NULL;
+     }
+ 
+-- 
+2.50.1
+
diff --git a/libssh.spec b/libssh.spec
index f2c0bc6..953fd7a 100644
--- a/libssh.spec
+++ b/libssh.spec
@@ -1,6 +1,6 @@
 Name:           libssh
 Version:        0.11.1
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        A library implementing the SSH protocol
 License:        LGPL-2.1-or-later
 URL:            http://www.libssh.org
@@ -11,8 +11,11 @@ Source2:        https://www.libssh.org/files/0x03D5DF8CFDD3E8E7_libssh_libssh_or
 Source3:        libssh_client.config
 Source4:        libssh_server.config
 # Don't use global openssl.cnf for PKCS#11 URI Tests
-# https://gitlab.com/libssh/libssh-mirror/-/merge_requests/543
+# https://gitlab.com/libssh/libssh-mirror/-/commit/46d74176
 Patch1:         libssh-0.11.1-fix-provider-loading.patch
+# Fix possible buffer overrun in the SFTP server
+# https://gitlab.com/libssh/libssh-mirror/-/commit/ae8881df
+Patch2:         libssh-0.11.1-CVE-2025-5318.patch
 
 BuildRequires:  cmake
 BuildRequires:  gcc-c++
@@ -35,6 +38,7 @@ BuildRequires:  nmap-ncat
 BuildRequires:  pkcs11-provider
 BuildRequires:  p11-kit-devel
 BuildRequires:  p11-kit-server
+BuildRequires:  p11-kit-client
 BuildRequires:  opensc
 BuildRequires:  softhsm
 BuildRequires:  gnutls-utils
@@ -141,6 +145,11 @@ popd
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/libssh/libssh_server.config
 
 %changelog
+* Tue Sep 30 2025 Pavol Žáčik <pzacik@redhat.com> - 0.11.1-3
+- Fix CVE-2025-5318
+  Resolves: RHEL-111721
+- Add BuildRequires for p11-kit-client
+
 * Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 0.11.1-2
 - Bump release for October 2024 mass rebuild:
   Resolves: RHEL-64018