diff --git a/102-bugfix-for-CVE-2025-62230.patch b/102-bugfix-for-CVE-2025-62230.patch
new file mode 100644
index 0000000000000000000000000000000000000000..485c5b0489ed9e7237c1d8d0cbcd274309d67003
--- /dev/null
+++ b/102-bugfix-for-CVE-2025-62230.patch
@@ -0,0 +1,87 @@
+From 1abca0b9b5b019cda32aa92466a760660ebd952d Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Wed, 10 Sep 2025 15:58:57 +0200
+Subject: [PATCH xserver 3/4] xkb: Free the XKB resource when freeing
+ XkbInterest
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+XkbRemoveResourceClient() would free the XkbInterest data associated
+with the device, but not the resource associated with it.
+
+As a result, when the client terminates, the resource delete function
+gets called and accesses already freed memory:
+
+ | Invalid read of size 8
+ |   at 0x5BC0C0: XkbRemoveResourceClient (xkbEvents.c:1047)
+ |   by 0x5B3391: XkbClientGone (xkb.c:7094)
+ |   by 0x4DF138: doFreeResource (resource.c:890)
+ |   by 0x4DFB50: FreeClientResources (resource.c:1156)
+ |   by 0x4A9A59: CloseDownClient (dispatch.c:3550)
+ |   by 0x5E0A53: ClientReady (connection.c:601)
+ |   by 0x5E4FEF: ospoll_wait (ospoll.c:657)
+ |   by 0x5DC834: WaitForSomething (WaitFor.c:206)
+ |   by 0x4A1BA5: Dispatch (dispatch.c:491)
+ |   by 0x4B0070: dix_main (main.c:277)
+ |   by 0x4285E7: main (stubmain.c:34)
+ | Address 0x1893e278 is 184 bytes inside a block of size 928 free'd
+ |   at 0x4842E43: free (vg_replace_malloc.c:989)
+ |   by 0x49C1A6: CloseDevice (devices.c:1067)
+ |   by 0x49C522: CloseOneDevice (devices.c:1193)
+ |   by 0x49C6E4: RemoveDevice (devices.c:1244)
+ |   by 0x5873D4: remove_master (xichangehierarchy.c:348)
+ |   by 0x587921: ProcXIChangeHierarchy (xichangehierarchy.c:504)
+ |   by 0x579BF1: ProcIDispatch (extinit.c:390)
+ |   by 0x4A1D85: Dispatch (dispatch.c:551)
+ |   by 0x4B0070: dix_main (main.c:277)
+ |   by 0x4285E7: main (stubmain.c:34)
+ | Block was alloc'd at
+ |   at 0x48473F3: calloc (vg_replace_malloc.c:1675)
+ |   by 0x49A118: AddInputDevice (devices.c:262)
+ |   by 0x4A0E58: AllocDevicePair (devices.c:2846)
+ |   by 0x5866EE: add_master (xichangehierarchy.c:153)
+ |   by 0x5878C2: ProcXIChangeHierarchy (xichangehierarchy.c:493)
+ |   by 0x579BF1: ProcIDispatch (extinit.c:390)
+ |   by 0x4A1D85: Dispatch (dispatch.c:551)
+ |   by 0x4B0070: dix_main (main.c:277)
+ |   by 0x4285E7: main (stubmain.c:34)
+
+To avoid that issue, make sure to free the resources when freeing the
+device XkbInterest data.
+
+CVE-2025-62230, ZDI-CAN-27545
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
+(cherry picked from commit 10c94238bdad17c11707e0bdaaa3a9cd54c504be)
+
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2088>
+ xkb/xkbEvents.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/unix/xserver/xkb/xkbEvents.c b/unix/xserver/xkb/xkbEvents.c
+index f8f65d4a7..7c669c93e 100644
+--- a/unix/xserver/xkb/xkbEvents.c
++++ b/unix/xserver/xkb/xkbEvents.c
+@@ -1056,6 +1056,7 @@ XkbRemoveResourceClient(DevicePtr inDev, XID id)
+             autoCtrls = interest->autoCtrls;
+             autoValues = interest->autoCtrlValues;
+             client = interest->client;
++            FreeResource(interest->resource, RT_XKBCLIENT);
+             free(interest);
+             found = TRUE;
+         }
+@@ -1067,6 +1067,7 @@ XkbRemoveResourceClient(DevicePtr inDev, XID id)
+                 autoCtrls = victim->autoCtrls;
+                 autoValues = victim->autoCtrlValues;
+                 client = victim->client;
++                FreeResource(victim->resource, RT_XKBCLIENT);
+                 free(victim);
+                 found = TRUE;
+             }
+-- 
+2.51.1
diff --git a/tigervnc.spec b/tigervnc.spec
index e9200961b0ccc16b46ad6e40de3e5b990fa9a7f4..2ac75a2a4bc498f751bc71cf11a4e637ce449fa7 100644
--- a/tigervnc.spec
+++ b/tigervnc.spec
@@ -1,4 +1,4 @@
-%define anolis_release 5
+%define anolis_release 6
 #defining macros needed by SELinux
 %global selinuxtype targeted
 %global modulename vncsession
@@ -30,6 +30,7 @@ Patch50:        tigervnc-vncsession-restore-script-systemd-service.patch
 # This is tigervnc-%%{version}/unix/xserver116.patch rebased on the latest xorg
 Patch100:       tigervnc-xserver120.patch
 Patch101:       101-bugfix-for-CVE-2024-21885.patch
+Patch102:       102-bugfix-for-CVE-2025-62230.patch
 
 BuildRequires:  make
 BuildRequires:  gcc-c++
@@ -162,6 +163,7 @@ for all in `find . -type f -perm -001`; do
 done
 %patch100 -p1 -b .xserver120-rebased
 %patch101 -p1 -b .101-bugfix-for-CVE-2024-21885
+%patch102 -p1 -b .102-bugfix-for-CVE-2025-62230
 popd
 
 # Downstream patches
@@ -333,6 +335,9 @@ fi
 %ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
 
 %changelog
+* Wed Nov 12 2025 tomcruiseqi <tomcruiseqi@inspur.com> - 1.13.1-6
+- Fix CVE-2025-62230
+
 * Mon Aug 11 2025 mgb01105731 <mgb01105731@alibaba-inc.com> - 1.13.1-5
 - Rebuild with xorg-x11-server to fix CVE-2025-49175,CVE-2025-49176,
   CVE-2025-49178,CVE-2025-49179,CVE-2025-49180