diff --git a/ncurses-cve-2025-69720.patch b/ncurses-cve-2025-69720.patch
new file mode 100644
index 0000000..d88346c
--- /dev/null
+++ b/ncurses-cve-2025-69720.patch
@@ -0,0 +1,21 @@
+--- a/progs/infocmp.c
++++ b/progs/infocmp.c
+@@ -847,7 +847,7 @@ lookup_params(const assoc * table, char *dst, char *src)
+ static void
+ analyze_string(const char *name, const char *cap, TERMTYPE2 *tp)
+ {
+-    char buf2[MAX_TERMINFO_LENGTH];
++    char buf2[MAX_TERMINFO_LENGTH + 1];
+     const char *sp;
+     const assoc *ap;
+     int tp_lines = tp->Numbers[2];
+@@ -877,7 +877,8 @@ analyze_string(const char *name, const char *cap, TERMTYPE2 *tp)
+ 	    if (VALID_STRING(cp) &&
+ 		cp[0] != '\0' &&
+ 		cp != cap) {
+-		len = strlen(cp);
++		if ((len = strlen(cp)) > MAX_TERMINFO_LENGTH)
++		    len = MAX_TERMINFO_LENGTH;
+ 		_nc_STRNCPY(buf2, sp, len);
+ 		buf2[len] = '\0';
+ 
diff --git a/ncurses.spec b/ncurses.spec
index 08a55ce..4b249c6 100644
--- a/ncurses.spec
+++ b/ncurses.spec
@@ -9,13 +9,14 @@
 Summary: Ncurses support utilities
 Name: ncurses
 Version: 6.4
-Release: 14.%{revision}%{?dist}
+Release: 15.%{revision}%{?dist}
 License: MIT-open-group
 URL: https://invisible-island.net/ncurses/ncurses.html
 Source0: https://invisible-mirror.net/archives/ncurses/current/ncurses-%{version}-%{revision}.tgz
 Source1: https://invisible-mirror.net/archives/ncurses/current/ncurses-%{version}-%{revision}.tgz.asc
 Source2: https://invisible-island.net/public/dickey@invisible-island.net-rsa3072.asc
 
+Patch1: ncurses-cve-2025-69720.patch
 Patch8: ncurses-config.patch
 Patch9: ncurses-libs.patch
 Patch11: ncurses-urxvt.patch
@@ -119,6 +120,7 @@ The ncurses-static package includes static libraries of the ncurses library.
 
 %setup -q -n %{name}-%{version}-%{revision}
 
+%patch -P1 -p1 -b .cve-2025-69720
 %patch -P8 -p1 -b .config
 %patch -P9 -p1 -b .libs
 %patch -P11 -p1 -b .urxvt
@@ -298,6 +300,9 @@ xz NEWS
 %{_libdir}/lib*.a
 
 %changelog
+* Tue Mar 24 2026 Miroslav Lichvar <mlichvar@redhat.com> 6.4-15.20240127
+- fix buffer overflow in infocmp -i (CVE-2025-69720)
+
 * Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 6.4-14.20240127
 - Bump release for October 2024 mass rebuild:
   Resolves: RHEL-64018