diff --git a/openssl-1.1.1-cve-2025-9230.patch b/openssl-1.1.1-cve-2025-9230.patch
new file mode 100644
index 0000000..5c1f511
--- /dev/null
+++ b/openssl-1.1.1-cve-2025-9230.patch
@@ -0,0 +1,31 @@
+From 5965ea5dd6960f36d8b7f74f8eac67a8eb8f2b45 Mon Sep 17 00:00:00 2001
+From: Viktor Dukhovni <openssl-users@dukhovni.org>
+Date: Thu, 11 Sep 2025 18:10:12 +0200
+Subject: [PATCH] kek_unwrap_key(): Fix incorrect check of unwrapped key size
+
+Fixes CVE-2025-9230
+
+The check is off by 8 bytes so it is possible to overread by
+up to 8 bytes and overwrite up to 4 bytes.
+
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(cherry picked from commit 9c462be2cea54ebfc62953224220b56f8ba22a0c)
+---
+ crypto/cms/cms_pwri.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/crypto/cms/cms_pwri.c b/crypto/cms/cms_pwri.c
+index a7d609f83791a..ee1b8aa6ed61d 100644
+--- a/crypto/cms/cms_pwri.c
++++ b/crypto/cms/cms_pwri.c
+@@ -242,7 +242,7 @@ static int kek_unwrap_key(unsigned char *out, size_t *outlen,
+         /* Check byte failure */
+         goto err;
+     }
+-    if (inlen < (size_t)(tmp[0] - 4)) {
++    if (inlen < 4 + (size_t)tmp[0]) {
+         /* Invalid length value */
+         goto err;
+     }
diff --git a/openssl.spec b/openssl.spec
index b359e81..f016cf4 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -22,7 +22,7 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 1.1.1k
-Release: 13%{?dist}
+Release: 14%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -102,6 +102,7 @@ Patch108: openssl-1.1.1-pkcs1-implicit-rejection.patch
 # Backport from OpenSSL 3.0
 # Fix for CVE-2024-5535
 Patch109: openssl-1.1.1-fix-ssl-select-next-proto.patch
+Patch110: openssl-1.1.1-cve-2025-9230.patch
 
 License: OpenSSL and ASL 2.0
 URL: http://www.openssl.org/
@@ -236,6 +237,7 @@ cp %{SOURCE13} test/
 %patch107 -p1 -b .cve-2023-5678
 %patch108 -p1 -b .pkcs15imprejection
 %patch109 -p1 -b .cve-2024-5535
+%patch110 -p1 -b .cve-2025-9230
 
 %build
 # Figure out which flags we want to use.
@@ -519,6 +521,11 @@ export LD_LIBRARY_PATH
 %postun libs -p /sbin/ldconfig
 
 %changelog
+* Mon Dec 08 2025 Nikita Sanjay Patwa <npatwa@redhat.com> - 1:1.1.1k-14
+- Backport fix for Out-of-bounds read & write in RFC 3211 KEK Unwrap
+  Fix CVE-2025-9230
+  Resolves: RHEL-128613
+
 * Mon Sep 16 2024 Maurizio Barbaro <mbarbaro@redhat.com> - 1:1.1.1k-13
 - Backport fix SSL_select_next proto from OpenSSL 3.2  
   Fix CVE-2024-5535