diff --git a/backport-CVE-2025-5278.patch b/backport-CVE-2025-5278.patch
new file mode 100644
index 0000000000000000000000000000000000000000..2a243dc15e93496a3b13b6af0aa6ada7280aae65
--- /dev/null
+++ b/backport-CVE-2025-5278.patch
@@ -0,0 +1,105 @@
+From 8c9602e3a145e9596dc1a63c6ed67865814b6633 Mon Sep 17 00:00:00 2001
+From: Pádraig Brady <P@draigBrady.com>
+Date: Tue, 20 May 2025 16:03:44 +0100
+Subject: sort: fix buffer under-read (CWE-127)
+
+* src/sort.c (begfield): Check pointer adjustment
+to avoid Out-of-range pointer offset (CWE-823).
+(limfield): Likewise.
+* tests/sort/sort-field-limit.sh: Add a new test,
+which triggers with ASAN or Valgrind.
+* tests/local.mk: Reference the new test.
+Fixes https://bugs.gnu.org/78507
+---
+ src/sort.c                     | 12 ++++++++++--
+ tests/local.mk                 |  1 +
+ tests/sort/sort-field-limit.sh | 35 ++++++++++++++++++++++++++++++++++
+ 3 files changed, 46 insertions(+), 2 deletions(-)
+ create mode 100755 tests/sort/sort-field-limit.sh
+
+diff --git a/src/sort.c b/src/sort.c
+index 42f72b6..2861421 100644
+--- a/src/sort.c
++++ b/src/sort.c
+@@ -1791,7 +1791,11 @@ begfield_uni (const struct line *line, const struct keyfield *key)
+       ++ptr;
+ 
+   /* Advance PTR by SCHAR (if possible), but no further than LIM.  */
+-  ptr = MIN (lim, ptr + schar);
++  size_t remaining_bytes = lim - ptr;
++  if (schar < remaining_bytes)
++    ptr += schar;
++  else
++    ptr = lim;
+ 
+   return ptr;
+ }
+@@ -1951,7 +1955,11 @@ limfield_uni (struct line const *line, struct keyfield const *key)
+           ++ptr;
+ 
+       /* Advance PTR by ECHAR (if possible), but no further than LIM.  */
+-      ptr = MIN (lim, ptr + echar);
++      size_t remaining_bytes = lim - ptr;
++      if (echar < remaining_bytes)
++        ptr += echar;
++      else
++        ptr = lim;
+     }
+ 
+   return ptr;
+diff --git a/tests/local.mk b/tests/local.mk
+index a2164c9..15d05bb 100644
+--- a/tests/local.mk
++++ b/tests/local.mk
+@@ -373,6 +373,7 @@ all_tests =					\
+   tests/misc/sort-debug-keys.sh			\
+   tests/misc/sort-debug-warn.sh			\
+   tests/misc/sort-discrim.sh			\
++  tests/sort/sort-field-limit.sh		\
+   tests/misc/sort-files0-from.pl		\
+   tests/misc/sort-float.sh			\
+   tests/misc/sort-mb-tests.sh			\
+diff --git a/tests/sort/sort-field-limit.sh b/tests/sort/sort-field-limit.sh
+new file mode 100755
+index 0000000..52d8e1d
+--- /dev/null
++++ b/tests/sort/sort-field-limit.sh
+@@ -0,0 +1,35 @@
++#!/bin/sh
++# From 7.2-9.7, this would trigger an out of bounds mem read
++
++# Copyright (C) 2025 Free Software Foundation, Inc.
++
++# This program is free software: you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation, either version 3 of the License, or
++# (at your option) any later version.
++
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU General Public License for more details.
++
++# You should have received a copy of the GNU General Public License
++# along with this program.  If not, see <https://www.gnu.org/licenses/>.
++
++. "${srcdir=.}/tests/init.sh"; path_prepend_ ./src
++print_ver_ sort
++getlimits_
++
++# This issue triggers with valgrind or ASAN
++valgrind --error-exitcode=1 sort --version 2>/dev/null &&
++  VALGRIND='valgrind --error-exitcode=1'
++
++{ printf '%s\n' aa bb; } > in || framework_failure_
++
++_POSIX2_VERSION=200809 $VALGRIND sort +0.${SIZE_MAX}R in > out || fail=1
++compare in out || fail=1
++
++_POSIX2_VERSION=200809 $VALGRIND sort +1 -1.${SIZE_MAX}R in > out || fail=1
++compare in out || fail=1
++
++Exit $fail
+-- 
+2.47.1
+
diff --git a/coreutils.spec b/coreutils.spec
index f0c84dee48d81d5dfe02db6d1f22095e33dae46b..053579d0f7383c93b08b2992fa5f9b49c02caff9 100644
--- a/coreutils.spec
+++ b/coreutils.spec
@@ -1,6 +1,6 @@
 Name:       coreutils
 Version:    9.0
-Release:    19
+Release:    20
 License:    GPLv3+
 Summary:    A set of basic GNU tools commonly used in shell scripts
 Url:        https://www.gnu.org/software/coreutils/
@@ -63,6 +63,7 @@ patch48:   backport-sort-fix-debug-buffer-overrun.patch
 patch49:   backport-tac-avoid-out-of-bounds-access.patch
 Patch50:   backport-yes-avoid-failure-on-CHERI-protected-systems.patch
 Patch51:   backport-tail-avoid-infloop-with-c-on-dev-zero.patch
+Patch52:   backport-CVE-2025-5278.patch
 
 Patch9001: coreutils-9.0-sw.patch
 
@@ -191,6 +192,9 @@ fi
 %{_mandir}/man*/*
 
 %changelog
+* Sat May 31 2025 Funda Wang <fundawang@yeah.net> - 9.0-20
+- fix CVE-2025-5278
+
 * Mon May 26 2025 fuanan <fuanan3@h-partners.com> - 9.0-19
 - backport: tail: avoid infloop with -c on /dev/zero