diff --git a/1001-fix-CVE-2025-6965.patch b/1001-fix-CVE-2025-6965.patch
new file mode 100644
index 0000000000000000000000000000000000000000..ce560342f71bf07a59fafec079e520bd5c8b5576
--- /dev/null
+++ b/1001-fix-CVE-2025-6965.patch
@@ -0,0 +1,112 @@
+From a456383b64e9863040bdcb3bbe54201bd11e09ec Mon Sep 17 00:00:00 2001
+From: mgb01105731 <mgb01105731@alibaba-inc.com>
+Date: Fri, 25 Jul 2025 15:12:35 +0800
+Subject: [PATCH 1/1] fix CVE-2025-6965
+
+---
+ src/expr.c      | 16 +++++++++++++++-
+ src/sqliteInt.h | 14 +++++++++++---
+ 2 files changed, 26 insertions(+), 4 deletions(-)
+
+diff --git a/src/expr.c b/src/expr.c
+index a81b459..79c95e7 100644
+--- a/src/expr.c
++++ b/src/expr.c
+@@ -6409,7 +6409,9 @@ static void findOrCreateAggInfoColumn(
+ ){
+   struct AggInfo_col *pCol;
+   int k;
++  int mxTerm = pParse->db->aLimit[SQLITE_LIMIT_COLUMN];
+ 
++  assert( mxTerm <= SMXV(i16));
+   assert( pAggInfo->iFirstReg==0 );
+   pCol = pAggInfo->aCol;
+   for(k=0; k<pAggInfo->nColumn; k++, pCol++){
+@@ -6426,6 +6428,10 @@ static void findOrCreateAggInfoColumn(
+     assert( pParse->db->mallocFailed );
+     return;
+   }
++  if( k>mxTerm ){
++    sqlite3ErrorMsg(pParse, "more than %d aggregate terms", mxTerm);
++    k = mxTerm;
++  }
+   pCol = &pAggInfo->aCol[k];
+   assert( ExprUseYTab(pExpr) );
+   pCol->pTab = pExpr->y.pTab;
+@@ -6459,6 +6465,7 @@ fix_up_expr:
+   if( pExpr->op==TK_COLUMN ){
+     pExpr->op = TK_AGG_COLUMN;
+   }
++  assert( k <= SMXV(PeXPR->Iagg) );
+   pExpr->iAgg = (i16)k;
+ }
+ 
+@@ -6542,13 +6549,19 @@ static int analyzeAggregate(Walker *pWalker, Expr *pExpr){
+         ** function that is already in the pAggInfo structure
+         */
+         struct AggInfo_func *pItem = pAggInfo->aFunc;
++	int mxTerm = pParse->db->aLimit[SQLITE_LIMIT_COLUMN];
++	assert( mxTerm <= SMXV(i16) );
+         for(i=0; i<pAggInfo->nFunc; i++, pItem++){
+           if( pItem->pFExpr==pExpr ) break;
+           if( sqlite3ExprCompare(0, pItem->pFExpr, pExpr, -1)==0 ){
+             break;
+           }
+         }
+-        if( i>=pAggInfo->nFunc ){
++	if( i>mxTerm ){
++	  sqlite3ErrorMsg(pParse, "more than %d aggregate terms", mxTerm);
++	  i = mxTerm;
++	  assert( i<pAggInfo->nFunc );
++	}else if( i>=pAggInfo->nFunc ){
+           /* pExpr is original.  Make a new entry in pAggInfo->aFunc[]
+           */
+           u8 enc = ENC(pParse->db);
+@@ -6572,6 +6585,7 @@ static int analyzeAggregate(Walker *pWalker, Expr *pExpr){
+         */
+         assert( !ExprHasProperty(pExpr, EP_TokenOnly|EP_Reduced) );
+         ExprSetVVAProperty(pExpr, EP_NoReduce);
++	assert( i <= SMXV(pExpr->iAgg) );
+         pExpr->iAgg = (i16)i;
+         pExpr->pAggInfo = pAggInfo;
+         return WRC_Prune;
+diff --git a/src/sqliteInt.h b/src/sqliteInt.h
+index 2c89377..fbe1cd8 100644
+--- a/src/sqliteInt.h
++++ b/src/sqliteInt.h
+@@ -2782,7 +2782,7 @@ struct AggInfo {
+                           ** from source tables rather than from accumulators */
+   u8 useSortingIdx;       /* In direct mode, reference the sorting index rather
+                           ** than the source table */
+-  u16 nSortingColumn;     /* Number of columns in the sorting index */
++  u32 nSortingColumn;     /* Number of columns in the sorting index */
+   int sortingIdx;         /* Cursor number of the sorting index */
+   int sortingIdxPTab;     /* Cursor number of pseudo-table */
+   int iFirstReg;          /* First register in range for aCol[] and aFunc[] */
+@@ -2791,8 +2791,8 @@ struct AggInfo {
+     Table *pTab;             /* Source table */
+     Expr *pCExpr;            /* The original expression */
+     int iTable;              /* Cursor number of the source table */
+-    i16 iColumn;             /* Column number within the source table */
+-    i16 iSorterColumn;       /* Column number in the sorting index */
++    int iColumn;             /* Column number within the source table */
++    int iSorterColumn;       /* Column number in the sorting index */
+   } *aCol;
+   int nColumn;            /* Number of used entries in aCol[] */
+   int nAccumulator;       /* Number of columns that show through to the output.
+@@ -5607,4 +5607,12 @@ sqlite3_uint64 sqlite3Hwtime(void);
+ # define IS_STMT_SCANSTATUS(db) 0
+ #endif
+ 
++/*
++** Macro SMXV(n) retrun the maximum value that can be held in varibale n,
++** assuming n is a signed integer type. UMXV(n) is similar for unsigned 
++** integer types.
++*/
++#define SMXV(n) ((((i64)1)<<(sizeof(n)*8-1))-1)
++#define UMXV(n) ((((i64)1)<<(sizeof(n)*8))-1)
++
+ #endif /* SQLITEINT_H */
+-- 
+2.47.3
+
diff --git a/sqlite.spec b/sqlite.spec
index d970ce2d58e664fb53e894f6b1716aa3a22f2a15..1408e5aa2cb00d198da3a76d96e91b207b7484f8 100644
--- a/sqlite.spec
+++ b/sqlite.spec
@@ -1,4 +1,4 @@
-%define anolis_release 4
+%define anolis_release 5
 
 %bcond_without tcl
 %bcond_without sqldiff
@@ -20,6 +20,8 @@ URL: http://www.sqlite.org/
 Source0: http://www.sqlite.org/%{year}/sqlite-src-%{realver}.zip
 Source1: http://www.sqlite.org/%{year}/sqlite-doc-%{docver}.zip
 Patch0001: 0001-CVE-2023-7104.patch 
+# https://www.sqlite.org/src/info/5508b56fd24016c13981ec280ecdd833007c9d8dd595edb295b984c2b487b5c8
+Patch0002: 1001-fix-CVE-2025-6965.patch
 
 BuildRequires: make
 BuildRequires: gcc
@@ -239,6 +241,9 @@ rm -rf test/transitive1.test test/tkt3493.test test/misc1.test test/indexexpr2.t
 %endif
 
 %changelog
+* Fri Jul 25 2025 mgb01105731 <mgb01105731@alibaba-inc.com> - 3.42.0-5
+- Add patch to fix CVE-2025-6965
+
 * Wed Jul  3 2024 pangqing <pangqing@uniontech.com> - 3.42.0-4
 - CVE: CVE-2023-7104