diff --git a/libssh-0.11.1-CVE-2025-5987.patch b/libssh-0.11.1-CVE-2025-5987.patch
new file mode 100644
index 0000000..eb52361
--- /dev/null
+++ b/libssh-0.11.1-CVE-2025-5987.patch
@@ -0,0 +1,31 @@
+From 90b4845e0c98574bbf7bea9e97796695f064bf57 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Tue, 6 May 2025 22:51:41 +0200
+Subject: [PATCH] CVE-2025-5987 libcrypto: Correctly detect failures of chacha
+ initialization
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
+---
+ src/libcrypto.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/libcrypto.c b/src/libcrypto.c
+index b2e95cfe..1d583bc5 100644
+--- a/src/libcrypto.c
++++ b/src/libcrypto.c
+@@ -794,9 +794,9 @@ chacha20_poly1305_set_key(struct ssh_cipher_struct *cipher,
+         SSH_LOG(SSH_LOG_TRACE, "EVP_CIPHER_CTX_new failed");
+         goto out;
+     }
+-    ret = EVP_EncryptInit_ex(ctx->header_evp, EVP_chacha20(), NULL,
++    rv = EVP_EncryptInit_ex(ctx->header_evp, EVP_chacha20(), NULL,
+                              u8key + CHACHA20_KEYLEN, NULL);
+-    if (ret != 1) {
++    if (rv != 1) {
+         SSH_LOG(SSH_LOG_TRACE, "EVP_CipherInit failed");
+         goto out;
+     }
+-- 
+2.51.0
+
diff --git a/libssh.spec b/libssh.spec
index 28eb1ad..bab066b 100644
--- a/libssh.spec
+++ b/libssh.spec
@@ -1,6 +1,6 @@
 Name:           libssh
 Version:        0.11.1
-Release:        4%{?dist}
+Release:        5%{?dist}
 Summary:        A library implementing the SSH protocol
 License:        LGPL-2.1-or-later
 URL:            http://www.libssh.org
@@ -16,6 +16,9 @@ Patch1:         libssh-0.11.1-fix-provider-loading.patch
 # Fix possible buffer overrun in the SFTP server
 # https://gitlab.com/libssh/libssh-mirror/-/commit/ae8881df
 Patch2:         libssh-0.11.1-CVE-2025-5318.patch
+# libcrypto: Correctly detect failures of chacha initialization
+# https://gitlab.com/libssh/libssh-mirror/-/commit/bc4804aa
+Patch3:         libssh-0.11.1-CVE-2025-5987.patch
 
 BuildRequires:  cmake
 BuildRequires:  gcc-c++
@@ -144,6 +147,10 @@ popd
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/libssh/libssh_server.config
 
 %changelog
+* Thu Dec 11 2025 Pavol Žáčik <pzacik@redhat.com> - 0.11.1-5
+- Fix CVE-2025-5987
+  Resolves: RHEL-130040
+
 * Tue Sep 30 2025 Pavol Žáčik <pzacik@redhat.com> - 0.11.1-4
 - Rebuild due to broken build auto-tagging