diff --git a/0022-CLIENT-fix-thread-unsafe-access-to-autofs-struct.patch b/0022-CLIENT-fix-thread-unsafe-access-to-autofs-struct.patch
new file mode 100644
index 0000000..d611058
--- /dev/null
+++ b/0022-CLIENT-fix-thread-unsafe-access-to-autofs-struct.patch
@@ -0,0 +1,40 @@
+From ad345be38aaff0caf2fa88a45c8ff69f90b92038 Mon Sep 17 00:00:00 2001
+From: Alexey Tikhonov <atikhono@redhat.com>
+Date: Wed, 8 Oct 2025 18:23:50 +0200
+Subject: [PATCH] CLIENT: fix thread unsafe access to autofs struct.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+In case SSSD is built with lock-free client support, `sss_nss_lock()`
+is a no-op, thus resulting in thread unsafe access.
+
+This is a fix similar to 69fd828c1d5e92bc3b2e327a45dfed116f49d50a
+
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+(cherry picked from commit f3af8c89af656767333410b0e94da9288dd8ade8)
+---
+ src/sss_client/autofs/sss_autofs.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/sss_client/autofs/sss_autofs.c b/src/sss_client/autofs/sss_autofs.c
+index ef27cf895..f5986767f 100644
+--- a/src/sss_client/autofs/sss_autofs.c
++++ b/src/sss_client/autofs/sss_autofs.c
+@@ -65,7 +65,11 @@ struct automtent {
+     size_t cursor;
+ };
+ 
+-static struct sss_getautomntent_data {
++static
++#ifdef HAVE_PTHREAD_EXT
++__thread
++#endif
++struct sss_getautomntent_data {
+     char *mapname;
+     size_t len;
+     size_t ptr;
+-- 
+2.52.0
+
diff --git a/0023-sbus-defer-notification-callbacks.patch b/0023-sbus-defer-notification-callbacks.patch
new file mode 100644
index 0000000..baa58b5
--- /dev/null
+++ b/0023-sbus-defer-notification-callbacks.patch
@@ -0,0 +1,57 @@
+From 86d8d0d1f6653e8d5d8f4d1988a84256a1f429d9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Fri, 14 Nov 2025 14:29:43 +0100
+Subject: [PATCH 23/24] sbus: defer notification callbacks
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Otherwise, it is possible to incorrectly chain nested requests since the
+chain id is still present in the hash table.
+
+Resolves: https://github.com/SSSD/sssd/issues/8194
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+Reviewed-by: Tomáš Halman <thalman@redhat.com>
+(cherry picked from commit d6ea55552ec1eeda4a58336bba4a2873b0568b65)
+---
+ src/sbus/request/sbus_request_hash.c | 4 ++++
+ src/sbus/sbus_private.h              | 1 +
+ 2 files changed, 5 insertions(+)
+
+diff --git a/src/sbus/request/sbus_request_hash.c b/src/sbus/request/sbus_request_hash.c
+index 0ddad03a8..28d5df81e 100644
+--- a/src/sbus/request/sbus_request_hash.c
++++ b/src/sbus/request/sbus_request_hash.c
+@@ -147,6 +147,7 @@ sbus_requests_add(hash_table_t *table,
+         goto done;
+     }
+ 
++    item->ev = conn->ev;
+     item->req = req;
+     item->conn = conn;
+     item->is_dbus = is_dbus;
+@@ -283,6 +284,9 @@ sbus_requests_finish(struct sbus_request_list *item,
+         return;
+     }
+ 
++    /* Defer callback so all requests are notified before callbacks are run. */
++    tevent_req_defer_callback(item->req, item->ev);
++
+     if (error != EOK) {
+         tevent_req_error(item->req, error);
+         return;
+diff --git a/src/sbus/sbus_private.h b/src/sbus/sbus_private.h
+index eef397b86..d65a29e21 100644
+--- a/src/sbus/sbus_private.h
++++ b/src/sbus/sbus_private.h
+@@ -430,6 +430,7 @@ sbus_server_filter(DBusConnection *dbus_conn,
+ struct sbus_request_spy;
+ 
+ struct sbus_request_list {
++    struct tevent_context *ev;
+     struct tevent_req *req;
+     struct sbus_connection *conn;
+ 
+-- 
+2.52.0
+
diff --git a/0024-cache_req-allow-cache_first-mode-only-if-there-is-mo.patch b/0024-cache_req-allow-cache_first-mode-only-if-there-is-mo.patch
new file mode 100644
index 0000000..4a74046
--- /dev/null
+++ b/0024-cache_req-allow-cache_first-mode-only-if-there-is-mo.patch
@@ -0,0 +1,38 @@
+From a475fbe31d66427c3fd3d4211bb2d2f639013b0f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Fri, 14 Nov 2025 15:03:52 +0100
+Subject: [PATCH 24/24] cache_req: allow cache_first mode only if there is more
+ than one domain
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Otherwise we will perform unnecessary data provider lookups.
+
+Resolves: https://github.com/SSSD/sssd/issues/8194
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+Reviewed-by: Tomáš Halman <thalman@redhat.com>
+(cherry picked from commit 816eb1e202b774ebec5463ad1dcb85d41ea11c8a)
+---
+ src/responder/common/cache_req/cache_req.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/responder/common/cache_req/cache_req.c b/src/responder/common/cache_req/cache_req.c
+index b82759532..1d0fa824c 100644
+--- a/src/responder/common/cache_req/cache_req.c
++++ b/src/responder/common/cache_req/cache_req.c
+@@ -163,7 +163,10 @@ cache_req_create(TALLOC_CTX *mem_ctx,
+         talloc_free(cr);
+         return NULL;
+     }
+-    if (rctx->cache_first) {
++
++    /* Allow cache first only if there is more than one domain. */
++    if (rctx->cache_first
++        && (rctx->domains->next != NULL || rctx->domains->subdomains != NULL)) {
+         cr->cache_behavior = CACHE_REQ_CACHE_FIRST;
+     }
+     /* it is ok to override cache_first here */
+-- 
+2.52.0
+
diff --git a/0025-RESPONDER-use-proper-context-for-getDomains.patch b/0025-RESPONDER-use-proper-context-for-getDomains.patch
new file mode 100644
index 0000000..98ac9f2
--- /dev/null
+++ b/0025-RESPONDER-use-proper-context-for-getDomains.patch
@@ -0,0 +1,56 @@
+From b1a0eda4bff3faacea7203ac9839bdbe275c344a Mon Sep 17 00:00:00 2001
+From: Alexey Tikhonov <atikhono@redhat.com>
+Date: Fri, 26 Apr 2024 14:04:50 +0200
+Subject: [PATCH] RESPONDER: use proper context for getDomains()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Request was created on a long term responder context, but a callback
+for this request tries to access memory that is allocated on a short
+term client context. So if client disconnects before request is
+completed, then callback dereferences already freed memory.
+
+Resolves: https://github.com/SSSD/sssd/issues/7319
+
+Reviewed-by: Alejandro López <allopez@redhat.com>
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+(cherry picked from commit dc637c9730d0ba04a0d8aa2645ee537224cd4b19)
+(cherry picked from commit b0fda92e7e3c5bbcf30d8945411947e3fc6ae84b)
+
+Reviewed-by: Alejandro López <allopez@redhat.com>
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+---
+ src/responder/pac/pacsrv_cmd.c | 2 +-
+ src/responder/pam/pamsrv_cmd.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/responder/pac/pacsrv_cmd.c b/src/responder/pac/pacsrv_cmd.c
+index abfc2c991..d0663d73b 100644
+--- a/src/responder/pac/pacsrv_cmd.c
++++ b/src/responder/pac/pacsrv_cmd.c
+@@ -146,7 +146,7 @@ static errno_t pac_add_pac_user(struct cli_ctx *cctx)
+     ret = responder_get_domain_by_id(cctx->rctx, pr_ctx->user_dom_sid_str,
+                                      &pr_ctx->dom);
+     if (ret == EAGAIN || ret == ENOENT) {
+-        req = sss_dp_get_domains_send(cctx->rctx, cctx->rctx, true,
++        req = sss_dp_get_domains_send(cctx, cctx->rctx, true,
+                                       pr_ctx->domain_name);
+         if (req == NULL) {
+             ret = ENOMEM;
+diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
+index a7c181733..b6d2905dd 100644
+--- a/src/responder/pam/pamsrv_cmd.c
++++ b/src/responder/pam/pamsrv_cmd.c
+@@ -1918,7 +1918,7 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd)
+ 
+     ret = pam_forwarder_parse_data(cctx, pd);
+     if (ret == EAGAIN) {
+-        req = sss_dp_get_domains_send(cctx->rctx, cctx->rctx, true, pd->domain);
++        req = sss_dp_get_domains_send(cctx, cctx->rctx, true, pd->domain);
+         if (req == NULL) {
+             ret = ENOMEM;
+         } else {
+-- 
+2.52.0
+
diff --git a/0026-Enumerate-object-with-escaped-characters-in-name.patch b/0026-Enumerate-object-with-escaped-characters-in-name.patch
new file mode 100644
index 0000000..a7f6dd7
--- /dev/null
+++ b/0026-Enumerate-object-with-escaped-characters-in-name.patch
@@ -0,0 +1,63 @@
+From cc6ed40245dd594c3caa9e46960dec8d95b3f917 Mon Sep 17 00:00:00 2001
+From: Tomas Halman <thalman@redhat.com>
+Date: Thu, 13 Mar 2025 17:37:51 +0100
+Subject: [PATCH] Enumerate object with escaped characters in name
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This patch fixes enumeration when DN in LDAP server
+contains special characters.
+
+The libldb expects that '\' is followed by two hex digits
+in filter. Strings like '\#' must be sanitized into '\5c#'
+before they are used for searching.
+
+Resolves: https://github.com/SSSD/sssd/issues/7876
+
+Reviewed-by: Alejandro López <allopez@redhat.com>
+Reviewed-by: Dan Lavu <dlavu@redhat.com>
+(cherry picked from commit 158b4cdb7ac62fde1280f50a5d678f80d0e99015)
+
+Reviewed-by: Alejandro López <allopez@redhat.com>
+(cherry picked from commit 116d6221c8dba014a12b7ca93eff62fd3f0f314f)
+Reviewed-by: Tomáš Halman <thalman@redhat.com>
+---
+ src/db/sysdb_search.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c
+index 49362beb0..b45df2358 100644
+--- a/src/db/sysdb_search.c
++++ b/src/db/sysdb_search.c
+@@ -784,6 +784,7 @@ static errno_t sysdb_enum_dn_filter(TALLOC_CTX *mem_ctx,
+ {
+     TALLOC_CTX *tmp_ctx = NULL;
+     char *dn_filter;
++    char *sanitized_dn;
+     const char *fqname;
+     errno_t ret;
+ 
+@@ -814,11 +815,18 @@ static errno_t sysdb_enum_dn_filter(TALLOC_CTX *mem_ctx,
+     }
+ 
+     for (size_t i = 0; i < ts_res->count; i++) {
++        ret = sss_filter_sanitize_dn(tmp_ctx,
++                                     ldb_dn_get_linearized(ts_res->msgs[i]->dn),
++                                     &sanitized_dn);
++        if (ret != EOK) {
++            goto done;
++        }
+         dn_filter = talloc_asprintf_append(
+                                   dn_filter,
+                                   "(%s=%s)",
+                                   SYSDB_DN,
+-                                  ldb_dn_get_linearized(ts_res->msgs[i]->dn));
++                                  sanitized_dn);
++        talloc_free(sanitized_dn);
+         if (dn_filter == NULL) {
+             ret = ENOMEM;
+             goto done;
+-- 
+2.52.0
+
diff --git a/sssd.spec b/sssd.spec
index 2fe8698..b05d107 100644
--- a/sssd.spec
+++ b/sssd.spec
@@ -19,7 +19,7 @@
 
 Name: sssd
 Version: 2.9.4
-Release: 5%{?dist}.3
+Release: 5%{?dist}.4
 Group: Applications/System
 Summary: System Security Services Daemon
 License: GPLv3+
@@ -48,6 +48,11 @@ Patch0018: 0018-SYSDB-don-t-add-group-members-if-ignore_group_member.patch
 Patch0019: 0019-SYSDB-Use-SYSDB_NAME-from-cached-entry-when-updating.patch
 Patch0020: 0020-p11_child-Add-timeout-parameter.patch
 Patch0021: 0021-krb5-disable-Kerberos-localauth-an2ln-plugin-for-AD-.patch
+Patch0022: 0022-CLIENT-fix-thread-unsafe-access-to-autofs-struct.patch
+Patch0023: 0023-sbus-defer-notification-callbacks.patch
+Patch0024: 0024-cache_req-allow-cache_first-mode-only-if-there-is-mo.patch
+Patch0025: 0025-RESPONDER-use-proper-context-for-getDomains.patch
+Patch0026: 0026-Enumerate-object-with-escaped-characters-in-name.patch
 
 ### Downstream Patches ###
 
@@ -1232,6 +1237,12 @@ fi
 %systemd_postun_with_restart sssd.service
 
 %changelog
+* Mon Jan 26 2026 Alexey Tikhonov <atikhono@redhat.com> - 2.9.4-5.4
+- Resolves: RHEL-143731 - Crash in 'sss_client/autofs/sss_autofs.c' [rhel-8.10.z]
+- Resolves: RHEL-133476 - 'sssd_nss' hangs when looking up an object by ID that has expired cache entry and filtered out by name [rhel-8.10.z]
+- Resolves: RHEL-114350 - Frequent crashes of the SSSD process (sssd_pac), leading to the termination of the AD trusted domain subprocess by the watchdog [rhel-8.10.z]
+- Resolves: RHEL-143719 - SSSD unable to enumerate LDAP groups with 'getent group' & 'getent group -s sss ' if LDAP server contains any group with # character in their names [rhel-8.10.z]
+
 * Fri Oct 17 2025 Alejandro López <allopez@redhat.com> - 2.9.4-5.3
 - Resolves: RHEL-112455 - p11_child currently has an infinite timeout [rhel-8.10.z]
 - Resolves: RHEL-120292 - CVE-2025-11561 sssd: SSSD default Kerberos configuration allows privilege escalation on AD-joined Linux systems [rhel-8.10.z]