diff --git a/socat-1.7.4.4-CVE-2024-54661.patch b/socat-1.7.4.4-CVE-2024-54661.patch
new file mode 100644
index 0000000000000000000000000000000000000000..a1e165824524d303eb2bb2713ba59a1f6ba956f4
--- /dev/null
+++ b/socat-1.7.4.4-CVE-2024-54661.patch
@@ -0,0 +1,22 @@
+http://www.dest-unreach.org/socat/contrib/socat-secadv9.html
+
+--- socat-1.8.0.1/readline.sh	2019-04-04 10:59:55.000000000 +0200
++++ socat-1.8.0.2/readline.sh	2024-12-06 11:44:17.376502570 +0100
+@@ -22,9 +22,15 @@
+ else
+     HISTOPT=
+ fi
+-mkdir -p /tmp/$USER || exit 1
+ #
+ #
+ 
+-exec socat -d readline"$HISTOPT",noecho='[Pp]assword:' exec:"$PROGRAM",sigint,pty,setsid,ctty,raw,echo=0,stderr 2>/tmp/$USER/stderr2
++if test -w .; then
++    STDERR=./socat-readline.${1##*/}.log
++    rm -f $STDERR
++else
++    STDERR=/dev/null
++fi
++
++exec socat -d readline"$HISTOPT",noecho='[Pp]assword:' exec:"$PROGRAM",sigint,pty,setsid,ctty,raw,echo=0,stderr 2>$STDERR
+ 
diff --git a/socat.spec b/socat.spec
index 828326a9ede9db9b3ccf1cd604dc37972c94fdfe..c7419ecee537544acb9c09d420b95adb8f8e17ff 100644
--- a/socat.spec
+++ b/socat.spec
@@ -1,4 +1,5 @@
-%define anolis_release 1
+ExclusiveArch: x86_64 aarch64
+%define anolis_release 2
 
 Name:           socat
 Version:        1.7.4.4
@@ -11,6 +12,7 @@ Source0:        http://www.dest-unreach.org/socat/download/%{name}-%{version}.ta
 
 PATCH0001:      0001-PATCH-socat-1.7.3.3-warn.patch
 PATCH0002:      0002-PATCH-socat-configure-c99.patch
+PATCH0003:      socat-1.7.4.4-CVE-2024-54661.patch
 
 BuildRequires:  make
 BuildRequires:  gcc
@@ -89,6 +91,10 @@ cp -a %{buildroot}/%{_mandir}/man1/filan.1.gz %{buildroot}/%{_mandir}/man1/proca
 %doc README SECURITY
 
 %changelog
+* Sun Mar 22 2026 wenjie2025 <wency.cn@gmail.com> - 1.7.4.4-2
+- Add fix for CVE-2024-54661 to prevent local privilege escalation
+  via insecure /tmp directory usage in readline.sh
+
 * Tue Jan 31 2023 Guyu Wang <guyu.wgy@linux.alibaba.com> - 1.7.4.4-1
 - Update to 1.7.4.4