diff --git a/rhel-158962.patch b/rhel-158962.patch
new file mode 100644
index 0000000..6842993
--- /dev/null
+++ b/rhel-158962.patch
@@ -0,0 +1,46 @@
+From 93fc51176bbcf643a46cc271b85ff49cbb01f1a6 Mon Sep 17 00:00:00 2001
+From: remm <remm@apache.org>
+Date: Wed, 3 Dec 2025 21:22:54 +0100
+Subject: [PATCH] Avoid possible NPEs when using a TLS enabled custom connector
+
+---
+ .../org/apache/tomcat/util/net/AbstractJsseEndpoint.java | 9 +++++++++
+ webapps/docs/changelog.xml                               | 7 +++++++
+ 2 files changed, 16 insertions(+)
+
+diff --git a/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java b/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
+index 1d639176eb17..9a4b8fa37fb5 100644
+--- a/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
++++ b/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
+@@ -127,8 +127,17 @@ protected void createSSLContext(SSLHostConfig sslHostConfig) throws IllegalArgum
+     protected SSLEngine createSSLEngine(String sniHostName, List<Cipher> clientRequestedCiphers,
+             List<String> clientRequestedApplicationProtocols) {
+         List<String> clientRequestedProtocols = clientRequestedProtocolsThreadLocal.get();
++        if (clientRequestedProtocols == null) {
++            clientRequestedProtocols = new ArrayList<String>();
++        }
+         List<Group> clientSupportedGroups = clientSupportedGroupsThreadLocal.get();
++        if (clientSupportedGroups == null) {
++            clientSupportedGroups = new ArrayList<Group>();
++        }
+         List<SignatureScheme> clientSignatureSchemes = clientSignatureSchemesThreadLocal.get();
++        if (clientSignatureSchemes == null) {
++            clientSignatureSchemes = new ArrayList<SignatureScheme>();
++        }
+
+         SSLHostConfig sslHostConfig = getSSLHostConfig(sniHostName);
+
+diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
+index 9ef3d9b04912..03be8d1358ae 100644
+--- a/webapps/docs/changelog.xml
++++ b/webapps/docs/changelog.xml
+@@ -155,6 +155,9 @@
+         Store HTTP request headers using the original case for the header name
+         rather than forcing it to lower case. (markt)
+       </fix>
++      <fix>
++        Avoid possible NPEs when using a TLS enabled custom connector. (remm)
++      </fix>
+     </changelog>
+   </subsection>
+   <subsection name="Cluster">
diff --git a/tomcat9.spec b/tomcat9.spec
index 2e0d675..7a44e1a 100644
--- a/tomcat9.spec
+++ b/tomcat9.spec
@@ -53,7 +53,7 @@
 Name:          tomcat9
 Epoch:         1
 Version:       %{major_version}.%{minor_version}.%{micro_version}
-Release:       1%{?dist}.alma.1
+Release:       2%{?dist}.alma.1
 Summary:       Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API
 
 License:       Apache-2.0
@@ -78,6 +78,7 @@ Patch3:        tomcat-%{major_version}.%{minor_version}-catalina-policy.patch
 Patch4:        rhbz-1857043.patch
 Patch6:        tomcat-%{major_version}.%{minor_version}-bnd-annotation.patch
 Patch7:        build-with-java-25.patch
+Patch8:        rhel-158962.patch
 
 BuildArch:     noarch
 
@@ -212,6 +213,7 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "
 %patch -P4 -p0
 %patch -P6 -p0
 %patch -P7 -p0
+%patch -P8 -p1
 
 # Remove webservices naming resources as it's generally unused
 %{__rm} -rf java/org/apache/naming/factory/webservices
@@ -634,9 +636,12 @@ fi
 %{appdir}/ROOT
 
 %changelog
-* Sat Feb 21 2026 Eduard Abdullin <eabdullin@almalinux.org> - 1:9.0.110-1.alma.1
+* Fri Mar 27 2026 Eduard Abdullin <eabdullin@almalinux.org> - 1:9.0.110-2.alma.1
 - Exclude i686 architecture from build
 
+* Mon Mar 23 2026 Coty Sutherland <csutherl@redhat.com> - 1:9.0.110-2
+- Resolves: RHEL-158962 NPE in tomcat9 when used with TLS enabled custom connector
+
 * Wed Feb 11 2026 Coty Sutherland <csutherl@redhat.com> - 1:9.0.110-1
 - Resolves: RHEL-148687
   Update to 9.0.110 and compile with Java 25 to enable FFM features for PQC support