diff --git a/opencryptoki-3.25.0-covscan-findings.patch b/opencryptoki-3.25.0-covscan-findings.patch
new file mode 100644
index 0000000..6a2e866
--- /dev/null
+++ b/opencryptoki-3.25.0-covscan-findings.patch
@@ -0,0 +1,43 @@
+commit 003d658322df316a352af591a3d059ca22fc40a3
+Author: Ingo Franzki <ifranzki@linux.ibm.com>
+Date:   Mon Jul 21 11:02:42 2025 +0200
+
+    Fix covscan findings
+    
+    Closes: https://github.com/opencryptoki/opencryptoki/issues/879
+    
+    Reported-by: Than Ngo <than@redhat.com>
+    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+
+diff --git a/usr/lib/common/mech_aes.c b/usr/lib/common/mech_aes.c
+index 9195ff3c..383fb775 100644
+--- a/usr/lib/common/mech_aes.c
++++ b/usr/lib/common/mech_aes.c
+@@ -4561,6 +4561,11 @@ static CK_RV aeskw_wrap_pad(STDLL_TokData_t *tokdata, SESSION *sess,
+          * contains exactly eight octets, then prepend the AIV and encrypt
+          * the resulting 128-bit block using AES in ECB mode.
+          */
++        if (in_data_len > AES_KEY_WRAP_BLOCK_SIZE) {
++            TRACE_ERROR("%s\n", ock_err(ERR_DATA_LEN_RANGE));
++            return CKR_DATA_LEN_RANGE;
++        }
++
+         memmove(buff + AES_KEY_WRAP_BLOCK_SIZE, in_data, in_data_len);
+         memcpy(buff, aiv, AES_KEY_WRAP_IV_SIZE);
+         memset(buff + AES_KEY_WRAP_IV_SIZE + in_data_len, 0, padding_len);
+diff --git a/usr/sbin/p11sak/p11tool.c b/usr/sbin/p11sak/p11tool.c
+index da684f79..5b72b93b 100644
+--- a/usr/sbin/p11sak/p11tool.c
++++ b/usr/sbin/p11sak/p11tool.c
+@@ -567,6 +567,11 @@ static void p11tool_print_options_help(const struct p11tool_opt *opts,
+         else
+             len = snprintf(tmp, sizeof(tmp),"-%c", opt->short_opt);
+ 
++        if (len >= (int)sizeof(tmp) || len < 0) {
++            warnx("Error formatting option string. Skipping.\n");
++            continue;
++        }
++
+         if (opt->arg.type != ARG_TYPE_PLAIN) {
+             if (opt->arg.required)
+                 snprintf(&tmp[len], sizeof(tmp) - len, " %s", opt->arg.name);
diff --git a/opencryptoki.spec b/opencryptoki.spec
index f1eb0de..0880b4d 100644
--- a/opencryptoki.spec
+++ b/opencryptoki.spec
@@ -1,7 +1,7 @@
 Name: opencryptoki
 Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0 and partially v3.1
 Version: 3.25.0
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: CPL-1.0
 URL: https://github.com/opencryptoki/opencryptoki
 Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
@@ -24,6 +24,9 @@ Patch3: opencryptoki-lockdir-image-mode.patch
 # Fix detection of EC curve not supported by OpenSSL-3.5.x
 Patch10: opencryptoki-openssl-3.5.x.patch
 
+# Fix covscan findings, https://github.com/opencryptoki/opencryptoki/pull/880
+Patch11: opencryptoki-3.25.0-covscan-findings.patch
+
 Requires(pre): coreutils
 Requires: (selinux-policy >= 34.9-1 if selinux-policy-targeted)
 BuildRequires: gcc gcc-c++
@@ -409,6 +412,11 @@ fi
 
 
 %changelog
+* Mon Jul 21 2025 Than Ngo <than@redhat.com> - 3.25.0-3
+- Fix incorrect effective group id of pkcsslotd daemon
+- Fix covscan findings
+  Resolves: RHEL-104598
+
 * Wed Jul 09 2025 Than Ngo <than@redhat.com> - 3.25.0-2
 - Related: RHEL-73343, Fix detection of EC curve not supported by OpenSSL-3.5.x
 - Related: RHEL-77146, Fix the image mode issue again as bootc expects to use /run/lock 
diff --git a/opencryptoki.sysusers.conf b/opencryptoki.sysusers.conf
index 0803919..b18be2a 100644
--- a/opencryptoki.sysusers.conf
+++ b/opencryptoki.sysusers.conf
@@ -1,3 +1,2 @@
-u pkcsslotd - "Opencryptoki pkcsslotd user"  /run/opencryptoki /sbin/nologin
 g pkcs11 - -
-m pkcsslotd pkcs11
+u pkcsslotd -:pkcs11 "Opencryptoki pkcsslotd user"  /run/opencryptoki /sbin/nologin