diff --git a/backport-CVE-2025-4056.patch b/backport-CVE-2025-4056.patch
new file mode 100644
index 0000000000000000000000000000000000000000..3459a0332764480d631ad343363a270b0d1955f0
--- /dev/null
+++ b/backport-CVE-2025-4056.patch
@@ -0,0 +1,49 @@
+From 3d9cc103308bc50938b65acb9814850208133112 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@gnome.org>
+Date: Sun, 30 Mar 2025 21:49:05 +0100
+Subject: [PATCH] gspawn-win32: Fix potential integer overflows in argv
+ handling
+
+This can happen if a user passes a ludicrously long string to argv.
+
+Spotted by chamalsl as #YWH-PGM9867-48.
+
+Signed-off-by: Philip Withnall <pwithnall@gnome.org>
+---
+ glib/gspawn-win32-helper.c | 4 ++--
+ glib/gspawn-win32.c        | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/glib/gspawn-win32-helper.c b/glib/gspawn-win32-helper.c
+index 35b25905cb..0dc56c0eec 100644
+--- a/glib/gspawn-win32-helper.c
++++ b/glib/gspawn-win32-helper.c
+@@ -80,8 +80,8 @@ protect_wargv (gint       argc,
+     {
+       wchar_t *p = wargv[i];
+       wchar_t *q;
+-      gint len = 0;
+-      gint pre_bslash = 0;
++      size_t len = 0;
++      size_t pre_bslash = 0;
+       gboolean need_dblquotes = FALSE;
+       while (*p)
+ 	{
+diff --git a/glib/gspawn-win32.c b/glib/gspawn-win32.c
+index 96b8bafee6..3a9a308680 100644
+--- a/glib/gspawn-win32.c
++++ b/glib/gspawn-win32.c
+@@ -253,8 +253,8 @@ protect_argv_string (const gchar *string)
+ {
+   const gchar *p = string;
+   gchar *retval, *q;
+-  gint len = 0;
+-  gint pre_bslash = 0;
++  size_t len = 0;
++  size_t pre_bslash = 0;
+   gboolean need_dblquotes = FALSE;
+   while (*p)
+     {
+-- 
+GitLab
+
diff --git a/glib2.spec b/glib2.spec
index 05049728f32843f35c468bf0ae7b0b3a1c536be9..a296b55109c927c107eb8c1c31b4fce9bde0b489 100644
--- a/glib2.spec
+++ b/glib2.spec
@@ -1,6 +1,6 @@
 Name:           glib2
 Version:        2.66.8
-Release:        17
+Release:        18
 Summary:        The core library that forms the basis for projects such as GTK+ and GNOME
 License:        LGPLv2+
 URL:            http://www.gtk.org
@@ -76,6 +76,7 @@ patch6064:      backport-CVE-2024-34397.patch
 patch6065:      backport-gdbusconnection-Allow-name-owners-to-have-the-syntax-of-a-well-known-name.patch
 Patch6066:      Correct-translation-information.patch
 Patch6067:      backport-CVE-2024-52533.patch
+patch6068:      backport-CVE-2025-4056.patch
 
 BuildRequires:  chrpath gcc gcc-c++ gettext perl-interpreter
 %ifnarch i686
@@ -248,6 +249,9 @@ glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || :
 %endif
 
 %changelog
+* Wed May 7 2025 hanhuihui <hanhuihui5@huawei.com> - 2.66.8-18
+- fix CVE-2025-4056
+
 * Tue Nov 12 2024 liningjie <liningjie@xfusion.com> - 2.66.8-17
 - Fix CVE-2024-52533