Related: RHEL-131347

- fix incomplete ml-kem pct patch.

nss-3.112-mlkem-fips-update.patch

@@ -3,7 +3,7 @@
 # Date 1761684967 25200
 #      Tue Oct 28 13:56:07 2025 -0700
 # Branch RHEL10
-# Node ID 418f1657f74f96af94aa91b1fcf39d7c4740b3fa
+# Node ID 41c115659ed4c65119d97e4be6bdc3030c9a4586
 # Parent  a2ec761c754f728b669dc32ea94e260362b43b5b
 nss-3.112-mlkem-fips-update.patch
 
@@ -574,6 +574,25 @@ diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c
              case CKK_ML_KEM:
                  cipher_text_length = MAX_ML_KEM_CIPHER_LENGTH;
                  mech.mechanism = CKM_ML_KEM;
+@@ -5828,17 +5828,17 @@ kem_done:
+         PORT_Free(cipher_text);
+         if (key1 != CK_INVALID_HANDLE) {
+             NSC_DestroyObject(hSession, key1);
+         }
+         if (key2 != CK_INVALID_HANDLE) {
+             NSC_DestroyObject(hSession, key2);
+         }
+         if (crv != CKR_OK) {
+-            return CKR_DEVICE_ERROR;
++            return crv;
+         }
+     }
+ 
+     return CKR_OK;
+ }
+ 
+ /* NSC_GenerateKeyPair generates a public-key/private-key pair,
+  * creating new key objects. */
 @@ -7905,16 +7905,17 @@ sftk_DeriveEncrypt(SFTKCipher encrypt, v
          return crv;
      }

nss.spec

@@ -3,7 +3,7 @@
 # NOTE: To avoid NVR clashes of nspr* packages:
 # - reset %%{nspr_release} to 1, when updating %%{nspr_version}
 # - increment %%{nspr_version}, when updating the NSS part only
-%global baserelease 7
+%global baserelease 8
 %global nss_release %baserelease
 # use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when
 # release number between nss and nspr are different.
@@ -1172,8 +1172,11 @@ fi
 
 
 %changelog
+* Fri Jan 23 2026 Bob Relyea <rrelyea@redhat.com> - 3.112.0-8
+- fix incomplete ml-kem pct patch.
+
 * Fri Jan 16 2026 Bob Relyea <rrelyea@redhat.com> - 3.112.0-7
-- fix gregression in -5 bug fix
+- fix regression in -5 bug fix
 
 * Fri Jan 9 2026 Bob Relyea <rrelyea@redhat.com> - 3.112.0-6
 - fix a null in ml-dsa pkcs12 decode