diff --git a/openssh-9.9p1-fill-default-options-error.patch b/openssh-9.9p1-fill-default-options-error.patch
new file mode 100644
index 0000000..4b80504
--- /dev/null
+++ b/openssh-9.9p1-fill-default-options-error.patch
@@ -0,0 +1,24 @@
+diff --color -ruNp a/readconf.c b/readconf.c
+--- a/readconf.c	2026-04-02 15:36:49.624394836 +0200
++++ b/readconf.c	2026-04-02 15:43:15.115047190 +0200
+@@ -2779,7 +2779,7 @@ fill_default_options(Options * options)
+ {
+ 	char *all_cipher, *all_mac, *all_kex, *all_key, *all_sig;
+ 	char *def_cipher, *def_mac, *def_kex, *def_key, *def_sig;
+-	int ret = 0, r;
++	int ret = 0;
+ 
+ 	if (options->forward_agent == -1)
+ 		options->forward_agent = 0;
+@@ -2989,9 +2989,9 @@ fill_default_options(Options * options)
+ 	    KEX_FIPS_PK_ALG : SSH_ALLOWED_CA_SIGALGS), all_sig);
+ #define ASSEMBLE(what, defaults, all) \
+ 	do { \
+-		if ((r = kex_assemble_names(&options->what, \
++		if ((ret = kex_assemble_names(&options->what, \
+ 		    defaults, all)) != 0) { \
+-			error_fr(r, "%s", #what); \
++			error_fr(ret, "%s", #what); \
+ 			goto fail; \
+ 		} \
+ 	} while (0)
diff --git a/openssh.spec b/openssh.spec
index 3b3ed29..a82b443 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -237,6 +237,8 @@ Patch1037: openssh-9.9p1-first-match-wins.patch
 # upstream eddd1d2daa64a6ab1a915ca88436fa41aede44d4
 # upstream bc328144f149af07139a0f2c1329018cd85b86b7
 Patch1038: openssh-9.9p1-maxstartups-mistracking.patch
+# https://github.com/openssh/openssh-portable/pull/649
+Patch1039: openssh-9.9p1-fill-default-options-error.patch
 
 License: BSD-3-Clause AND BSD-2-Clause AND ISC AND SSH-OpenSSH AND ssh-keyscan AND snprintf AND LicenseRef-Fedora-Public-Domain AND X11-distribute-modifications-variant
 Requires: /sbin/nologin
@@ -439,6 +441,7 @@ gpgv2 --quiet --keyring %{SOURCE3} %{SOURCE1} %{SOURCE0}
 %patch -P 1036 -p1 -b .gssapi-s4u
 %patch -P 1037 -p1 -b .first-match-wins
 %patch -P 1038 -p1 -b .maxstartups-mistracking
+%patch -P 1039 -p1 -b .fill-default-options-error
 
 %patch -P 100 -p1 -b .coverity
 
@@ -722,6 +725,8 @@ test -f %{sysconfig_anaconda} && \
 * Wed Apr 01 2026 Zoltan Fridrich <zfridric@redhat.com> - 9.9p1-25
 - Fix static analysis issues
   Resolves: RHEL-163365
+- Ssh should refuse connection when mlkem kex is specified in FIPS
+  Resolves: RHEL-155178
 
 * Fri Mar 27 2026 Zoltan Fridrich <zfridric@redhat.com> - 9.9p1-24
 - Fix typo in SPDX license name