diff --git a/0006-fix-kbimg-add-validation-for-non-empty-strings-in-Ve.patch b/0006-fix-kbimg-add-validation-for-non-empty-strings-in-Ve.patch
new file mode 100644
index 0000000000000000000000000000000000000000..e20dcdecfc59d5337efa9aa0f8dbe44feb891a9c
--- /dev/null
+++ b/0006-fix-kbimg-add-validation-for-non-empty-strings-in-Ve.patch
@@ -0,0 +1,95 @@
+From 66582ff8ad70b7bef1f21e0491e5750cbe1ec7a6 Mon Sep 17 00:00:00 2001
+From: Yuhang Wei <weiyuhang3@huawei.com>
+Date: Mon, 16 Dec 2024 10:14:03 +0800
+Subject: [PATCH] fix(kbimg): add validation for non-empty strings in
+ Vec<String> fields
+
+Signed-off-by: Yuhang Wei <weiyuhang3@huawei.com>
+---
+ KubeOS-Rust/kbimg/src/commands.rs    | 37 ++++++++++++++++++++++++++++
+ KubeOS-Rust/kbimg/src/scripts_gen.rs |  3 +++
+ 2 files changed, 40 insertions(+)
+
+diff --git a/KubeOS-Rust/kbimg/src/commands.rs b/KubeOS-Rust/kbimg/src/commands.rs
+index 24fc1031..bcf9feb0 100644
+--- a/KubeOS-Rust/kbimg/src/commands.rs
++++ b/KubeOS-Rust/kbimg/src/commands.rs
+@@ -117,6 +117,7 @@ pub struct User {
+     pub passwd: String,
+     #[serde(default, deserialize_with = "reject_empty_option_string")]
+     pub primary_group: Option<String>,
++    #[serde(default, deserialize_with = "reject_empty_opt_vec_string")]
+     pub groups: Option<Vec<String>>,
+ }
+ 
+@@ -138,6 +139,7 @@ pub struct Grub {
+ 
+ #[derive(Deserialize, Debug, Clone)]
+ pub struct SystemdService {
++    #[serde(default, deserialize_with = "reject_empty_vec_string")]
+     pub name: Vec<String>,
+ }
+ 
+@@ -155,6 +157,7 @@ pub struct DiskPartition {
+ 
+ #[derive(Deserialize, Debug, Clone)]
+ pub struct PersistMkdir {
++    #[serde(default, deserialize_with = "reject_empty_vec_string")]
+     pub name: Vec<String>,
+ }
+ 
+@@ -240,3 +243,37 @@ where
+     }
+     Ok(value)
+ }
++
++fn reject_empty_opt_vec_string<'de, D>(deserializer: D) -> Result<Option<Vec<String>>, D::Error>
++where
++    D: serde::Deserializer<'de>,
++{
++    let value: Option<Vec<String>> = Deserialize::deserialize(deserializer)?;
++    if let Some(ref value) = value {
++        if value.is_empty() {
++            return Err(serde::de::Error::custom("Vec<String> field should not be empty"));
++        }
++        for v in value {
++            if v.trim().is_empty() {
++                return Err(serde::de::Error::custom("String in Vec<String> should not be an empty string"));
++            }
++        }
++    }
++    Ok(value)
++}
++
++fn reject_empty_vec_string<'de, D>(deserializer: D) -> Result<Vec<String>, D::Error>
++where
++    D: serde::Deserializer<'de>,
++{
++    let value: Vec<String> = Deserialize::deserialize(deserializer)?;
++    if value.is_empty() {
++        return Err(serde::de::Error::custom("Vec<String> field should not be empty"));
++    }
++    for v in &value {
++        if v.trim().is_empty() {
++            return Err(serde::de::Error::custom("String in Vec<String> should not be an empty string"));
++        }
++    }
++    Ok(value)
++}
+diff --git a/KubeOS-Rust/kbimg/src/scripts_gen.rs b/KubeOS-Rust/kbimg/src/scripts_gen.rs
+index 4f9abd24..9993af1c 100644
+--- a/KubeOS-Rust/kbimg/src/scripts_gen.rs
++++ b/KubeOS-Rust/kbimg/src/scripts_gen.rs
+@@ -261,6 +261,9 @@ pub(crate) fn gen_create_img(file: &mut dyn Write, legacy_bios: bool, config: &C
+     let mut mkdir_persist: String = String::new();
+     if let Some(persist_mkdir) = &config.persist_mkdir {
+         for name in &persist_mkdir.name {
++            if name.is_empty() {
++                continue;
++            }
+             mkdir_persist.push_str(&format!("    mkdir -p \"${{TMP_MOUNT_PATH}}\"/{}\n", name));
+         }
+     }
+-- 
+2.39.5 (Apple Git-154)
+
diff --git a/KubeOS.spec b/KubeOS.spec
index f0e7866e581de49952b768661ec02670d890fd4d..2a8156d8e05c89c1432416043316183dbed06c8a 100644
--- a/KubeOS.spec
+++ b/KubeOS.spec
@@ -2,7 +2,7 @@
 
 Name:           KubeOS
 Version:        1.0.8
-Release:        3
+Release:        4
 Summary:        O&M platform used to update the whole OS as an entirety
 License:        Mulan PSL v2
 Source0:        https://gitee.com/openeuler/KubeOS/repository/archive/v%{version}.tar.gz
@@ -11,6 +11,7 @@ Patch2:         0002-fix-kbimg-incorrect-remove-chroot-script-path.patch
 Patch3:         0003-fix-admin-container-correct-path-for-copying-files-i.patch
 Patch4:         0004-fix-kbimg-add-info-log-for-successful-image-creation.patch
 Patch5:         0005-fix-kbimg-enforce-non-empty-strings-for-required-fie.patch
+Patch6:         0006-fix-kbimg-add-validation-for-non-empty-strings-in-Ve.patch
 
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  make rust cargo openssl-devel
@@ -75,6 +76,12 @@ install -p -m 0600 ./KubeOS-Rust/kbimg/kbimg.toml %{buildroot}/opt/kubeOS/script
 rm -rfv %{buildroot}
 
 %changelog
+* Mon Dec 16 2024 Yuhang Wei<weiyuhang3@huawei.com> - 1.0.8-4
+- Type:requirement
+- CVE:NA
+- SUG:restart
+- DESC:enforce non-empty vec strings for required fields
+
 * Fri Dec 13 2024 Yuhang Wei<weiyuhang3@huawei.com> - 1.0.8-3
 - Type:requirement
 - CVE:NA