diff --git a/0086-With-SSL_VERIFY_PEER-client-RPK-should-abort-on-X509.patch b/0086-With-SSL_VERIFY_PEER-client-RPK-should-abort-on-X509.patch
new file mode 100644
index 0000000000000000000000000000000000000000..c80e6064ace2bafe49c495e08d872f24c21e6e15
--- /dev/null
+++ b/0086-With-SSL_VERIFY_PEER-client-RPK-should-abort-on-X509.patch
@@ -0,0 +1,58 @@
+From 6ae8e947d8e3f3f03eeb7d9ad993e341791900bc Mon Sep 17 00:00:00 2001
+From: Viktor Dukhovni <viktor@openssl.org>
+Date: Fri, 20 Dec 2024 04:25:15 +1100
+Subject: [PATCH] With SSL_VERIFY_PEER client RPK should abort on X509 error
+
+While RPK performs X.509 checks correctly, at the SSL layer the
+SSL_VERIFY_PEER flag was not honoured and connections were allowed to
+complete even when the server was not verified.  The client can of
+course determine this by calling SSL_get_verify_result(), but some
+may not know to do this.
+
+Added tests to make sure this does not regress.
+
+Fixes CVE-2024-12797
+
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+---
+ ssl/statem/statem_clnt.c | 15 +++++++++++--
+ 1 files changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/ssl/statem/statem_clnt.c b/CryptoPkg/Library/OpensslLib/openssl/ssl/statem/statem_clnt.c
+index 436b397346..8716ed669f 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/ssl/statem/statem_clnt.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/ssl/statem/statem_clnt.c
+@@ -1910,6 +1910,7 @@ static WORK_STATE tls_post_process_server_rpk(SSL_CONNECTION *sc,
+ {
+     size_t certidx;
+     const SSL_CERT_LOOKUP *clu;
++    int v_ok;
+ 
+     if (sc->session->peer_rpk == NULL) {
+         SSLfatal(sc, SSL_AD_ILLEGAL_PARAMETER,
+@@ -1919,9 +1920,19 @@ static WORK_STATE tls_post_process_server_rpk(SSL_CONNECTION *sc,
+ 
+     if (sc->rwstate == SSL_RETRY_VERIFY)
+         sc->rwstate = SSL_NOTHING;
+-    if (ssl_verify_rpk(sc, sc->session->peer_rpk) > 0
+-            && sc->rwstate == SSL_RETRY_VERIFY)
++
++    ERR_set_mark();
++    v_ok = ssl_verify_rpk(sc, sc->session->peer_rpk);
++    if (v_ok <= 0 && sc->verify_mode != SSL_VERIFY_NONE) {
++        ERR_clear_last_mark();
++        SSLfatal(sc, ssl_x509err2alert(sc->verify_result),
++                 SSL_R_CERTIFICATE_VERIFY_FAILED);
++        return WORK_ERROR;
++    }
++    ERR_pop_to_mark();      /* but we keep s->verify_result */
++    if (v_ok > 0 && sc->rwstate == SSL_RETRY_VERIFY) {
+         return WORK_MORE_A;
++    }
+ 
+     if ((clu = ssl_cert_lookup_by_pkey(sc->session->peer_rpk, &certidx,
+                                        SSL_CONNECTION_GET_CTX(sc))) == NULL) {
+--
+2.43.0
diff --git a/edk2.spec b/edk2.spec
index 0fa6b76bfe1231b35640469cba3f89ef56c81e91..e062ed4afbcc80cfa7dbe2910c345644a89ac08f 100644
--- a/edk2.spec
+++ b/edk2.spec
@@ -7,7 +7,7 @@
 
 Name: edk2
 Version: %{stable_date}
-Release: 18
+Release: 19
 Summary: EFI Development Kit II
 License: BSD-2-Clause-Patent and OpenSSL and MIT 
 URL: https://github.com/tianocore/edk2
@@ -135,6 +135,9 @@ patch83: 0083-Fix-timing-side-channel-CVE-2024-13176.patch
 patch84: 0084-Free-the-read-buffers-CVE-2024-4741.patch
 patch85: 0085-Process-key-length-CVE-2023-5363.patch
 
+# Fix CVE-2024-12797
+patch86: 0086-With-SSL_VERIFY_PEER-client-RPK-should-abort-on-X509.patch
+
 BuildRequires: acpica-tools gcc gcc-c++ libuuid-devel python3 bc nasm python3-unversioned-command isl 
 
 %description
@@ -404,6 +407,9 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys
 %endif
 
 %changelog
+* Thu Mar 06 2025 zhihang<zhihang161013@outlook.com> - 202308-19
+- fix CVE-2024-12797
+
 * Sun Feb 23 2025 huyu<huyu70@h-partners.com> - 202308-18
 - fix CVE-2024-13176、CVE-2024-4741、CVE-2023-5363