diff --git a/net-snmp-5.8-callback-fix.patch b/net-snmp-5.8-callback-fix.patch
new file mode 100644
index 0000000..d82a41f
--- /dev/null
+++ b/net-snmp-5.8-callback-fix.patch
@@ -0,0 +1,32 @@
+diff -urNp a/snmplib/callback.c b/snmplib/callback.c
+--- a/snmplib/callback.c	2025-08-13 15:21:25.507544080 +0200
++++ b/snmplib/callback.c	2025-08-13 15:25:01.973092935 +0200
+@@ -346,13 +346,17 @@ snmp_call_callbacks(int major, int minor
+     /*
+      * for each registered callback of type major and minor 
+      */
+-    for (scp = thecallbacks[major][minor]; scp != NULL; scp = scp->next) {
++    scp = thecallbacks[major][minor];
++    while (scp != NULL) {
++        struct snmp_gen_callback *scp_next = scp->next;
+ 
+         /*
+          * skip unregistered callbacks
+          */
+-        if(NULL == scp->sc_callback)
++        if(NULL == scp->sc_callback) {
++            scp = scp_next;
+             continue;
++        }
+ 
+         DEBUGMSGTL(("callback", "calling a callback for maj=%d min=%d\n",
+                     major, minor));
+@@ -363,6 +367,8 @@ snmp_call_callbacks(int major, int minor
+         (*(scp->sc_callback)) (major, minor, caller_arg,
+                                scp->sc_client_arg);
+         count++;
++
++        scp = scp_next;
+     }
+ 
+     DEBUGMSGTL(("callback",
diff --git a/net-snmp.spec b/net-snmp.spec
index 239c772..32f0463 100644
--- a/net-snmp.spec
+++ b/net-snmp.spec
@@ -61,6 +61,7 @@ Patch31:    net-snmp-5.9-CVE-2022-24805-24810.patch
 Patch32:    net-snmp-5.9.4-kernel-6.7.patch
 Patch33:    net-snmp-5.9-deleted-iface.patch
 Patch34:    net-snmp-5.9.4-revert-n-snmptrapd-log.patch
+Patch35:    net-snmp-5.8-callback-fix.patch
 
 # Modern RPM API means at least EL6
 Patch101:   net-snmp-5.8-modern-rpm-api.patch
@@ -247,6 +248,7 @@ cp %{SOURCE10} .
 %patch32 -p1 -b .kernel-6.7-fix
 %patch33 -p1 -b .iface
 %patch34 -p1 -b .revert-n-snmptrapd-log
+%patch35 -p1 -b .callback-fix
 
 %patch101 -p1 -b .modern-rpm-api
 %patch102 -p1
@@ -518,6 +520,7 @@ LD_LIBRARY_PATH=%{buildroot}/%{_libdir} make test
 %changelog
 * Wed Oct 22 2025 Josef Ridky <jridky@redhat.com> - 1:5.9.1-18
 - fix inverted usage of -n in snmptrapd (RHEL-101078)
+- fix use after free issue (RHEL-121091)
 
 * Tue Jul 16 2024 Josef Ridky <jridky@redhat.com> - 1:5.9.1-17
 - fix segfault with error on subcontainer (RHEL-46033)