diff --git a/openssl-3.0-CVE-2025-15467.patch b/openssl-3.0-CVE-2025-15467.patch
new file mode 100644
index 0000000000000000000000000000000000000000..b7caf9bcf42c9ba231a9ae3a4e0038b0fa6d897c
--- /dev/null
+++ b/openssl-3.0-CVE-2025-15467.patch
@@ -0,0 +1,33 @@
+From ce39170276daec87f55c39dad1f629b56344429e Mon Sep 17 00:00:00 2001
+From: Igor Ustinov <igus68@gmail.com>
+Date: Mon, 12 Jan 2026 12:19:59 +0100
+Subject: [PATCH] Correct handling of AEAD-encrypted CMS with inadmissibly long
+ IV
+
+Fixes CVE-2025-15467
+
+Reviewed-by: Norbert Pocs <norbertp@openssl.org>
+Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+MergeDate: Mon Jan 26 19:34:29 2026
+---
+ crypto/evp/evp_lib.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c
+index bee4e62dea245..72f374c81a6f7 100644
+--- a/crypto/evp/evp_lib.c
++++ b/crypto/evp/evp_lib.c
+@@ -249,10 +249,9 @@ int evp_cipher_get_asn1_aead_params(EVP_CIPHER_CTX *c, ASN1_TYPE *type,
+     if (type == NULL || asn1_params == NULL)
+         return 0;
+ 
+-    i = ossl_asn1_type_get_octetstring_int(type, &tl, NULL, EVP_MAX_IV_LENGTH);
+-    if (i <= 0)
++    i = ossl_asn1_type_get_octetstring_int(type, &tl, iv, EVP_MAX_IV_LENGTH);
++    if (i <= 0 || i > EVP_MAX_IV_LENGTH)
+         return -1;
+-    ossl_asn1_type_get_octetstring_int(type, &tl, iv, i);
+ 
+     memcpy(asn1_params->iv, iv, i);
+     asn1_params->iv_len = i;
diff --git a/openssl.spec b/openssl.spec
index 15b490e7b9611438cdd0a3ba16969324c7038780..696eaefaf9c83f47b89c4b42154d7b0e3adaa01d 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -21,7 +21,7 @@ print(string.sub(hash, 0, 16))
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 3.0.12
-Release: 24%{?dist}
+Release: 25%{?dist}
 License: ASL 2.0
 URL: http://www.openssl.org/
 Source0: https://www.openssl.org/source/openssl-%{version}.tar.gz
@@ -128,6 +128,8 @@ Patch0031: https://github.com/openssl/openssl/commit/22a4066c496f2a1cb7fd9bd698d
 Patch0032: https://github.com/openssl/openssl/commit/a79c4ce559c6a3a8fd4109e9f33c1185d5bf2def.patch
 #https://github.com/openssl/openssl/pull/22529
 Patch0033: openssl-3.0-Fix-the-encoding-of-SM2-keys.patch
+#https://github.com/openssl/openssl/commit/ce39170276daec87f55c39dad1f629b56344429e
+Patch0034: openssl-3.0-CVE-2025-15467.patch
 
 Patch5000: set-Availablein-default-in-evppkey_rsa_common.patch
 Patch5001: openssl-3.0.12-support-tlcp.patch
@@ -449,6 +451,10 @@ install -m644 %{SOURCE5} \
 
 
 %changelog
+* Thu Jan 29 2026 wynnfeng <wynnfeng@tencent.com> - 3.0.12-25
+- [Type] security
+- [DESC] Fix CVE-2025-15467
+
 * Fri Nov 21 2025 Sinong Chen <costinchen@tencent.com> - 3.0.12-24
 - [Type] bugfix
 - [DESC] Fix the encoding of SM2 keys, and support SM2 CMS signature