diff --git a/Backport-CVE-2025-6021-tree-Fix-integer-overflow-in-xmlBuildQName-c.patch b/Backport-CVE-2025-6021-tree-Fix-integer-overflow-in-xmlBuildQName-c.patch
new file mode 100644
index 0000000000000000000000000000000000000000..f2ea6b96c17a7fa36c2f4bbc812e751b311fb3eb
--- /dev/null
+++ b/Backport-CVE-2025-6021-tree-Fix-integer-overflow-in-xmlBuildQName-c.patch
@@ -0,0 +1,50 @@
+From 88b96367d8e906361a29f9256c1228194c3c248a Mon Sep 17 00:00:00 2001
+From: l30034438 <l30034438@notesmail.huawei.com/>
+Date: Sat, 21 Jun 2025 09:27:34 +0800
+Subject: [PATCH] tree: Fix integer overflow in xmlBuildQName
+
+Change-Id: Id5a8e04f933b800a5c8f5d97ed4e41260c7ca013
+---
+ tree.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/tree.c b/tree.c
+index 437080f..870fab1 100644
+--- a/tree.c
++++ b/tree.c
+@@ -50,6 +50,10 @@
+ #include "buf.h"
+ #include "save.h"
+ 
++#ifndef SIZE_MAX
++#define SIZE_MAX ((size_t) -1)
++#endif
++
+ int __xmlRegisterCallbacks = 0;
+ 
+ /************************************************************************
+@@ -222,16 +226,18 @@ xmlGetParameterEntityFromDtd(const xmlDtd *dtd, const xmlChar *name) {
+ xmlChar *
+ xmlBuildQName(const xmlChar *ncname, const xmlChar *prefix,
+ 	      xmlChar *memory, int len) {
+-    int lenn, lenp;
++    size_t lenn, lenp;
+     xmlChar *ret;
+ 
+-    if (ncname == NULL) return(NULL);
++    if ((ncname == NULL) || (len < 0)) return(NULL);
+     if (prefix == NULL) return((xmlChar *) ncname);
+ 
+     lenn = strlen((char *) ncname);
+     lenp = strlen((char *) prefix);
++    if (lenn >= SIZE_MAX - lenp - 1)
++        return(NULL);
+ 
+-    if ((memory == NULL) || (len < lenn + lenp + 2)) {
++    if ((memory == NULL) || ((size_t) len < lenn + lenp + 2)) {
+ 	ret = (xmlChar *) xmlMallocAtomic(lenn + lenp + 2);
+ 	if (ret == NULL) {
+ 	    xmlTreeErrMemory("building QName");
+-- 
+2.34.1
+
diff --git a/install.py b/install.py
index c514fee10960834c7b8a2809b6d4aac252507d4f..53728ef8c6f8c75ddad5c4fa4e2a43bf28480262 100755
--- a/install.py
+++ b/install.py
@@ -236,7 +236,8 @@ def do_patch(args, target_dir):
         "Fix-type-confusion-in-xmlSchemaCheckAGPropsCorrect.patch",
         "Fix-CVE-2019-19956.patch",
         "Fix-CVE-2025-32414.patch",
-        "Fix-CVE-2025-32415.patch"
+        "Fix-CVE-2025-32415.patch",
+        "Backport-CVE-2025-6021-tree-Fix-integer-overflow-in-xmlBuildQName-c.patch"
     ]
 
     for patch in patch_file: