diff --git a/backport-zero-freed-pointers-in-ebt_cs_clean.patch b/backport-zero-freed-pointers-in-ebt_cs_clean.patch
new file mode 100644
index 0000000000000000000000000000000000000000..52bd560a20be01c54b0e1f07965189735f530f32
--- /dev/null
+++ b/backport-zero-freed-pointers-in-ebt_cs_clean.patch
@@ -0,0 +1,33 @@
+From 7b7c0936303abd0a7b26c8bc1382136265815677 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Wed, 31 Jul 2024 23:02:23 +0200
+Subject: ebtables: Zero freed pointers in ebt_cs_clean()
+
+Trying to recycle an iptables_command_state object by calling first
+clear_cs then init_cs callbacks causes invalid data accesses with
+ebtables otherwise.
+
+Fixes: fe97f60e5d2a9 ("ebtables-compat: add watchers support")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+
+Conflict:NA
+Reference:https://git.netfilter.org/iptables/commit/?id=7b7c0936303abd0a7b26c8bc1382136265815677
+---
+ iptables/nft-bridge.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c
+index 83cbe31..55bcb50 100644
+--- a/iptables/nft-bridge.c
++++ b/iptables/nft-bridge.c
+@@ -46,6 +46,7 @@ void ebt_cs_clean(struct iptables_command_state *cs)
+ 		free(m);
+ 		m = nm;
+ 	}
++        cs->match_list = NULL;
+ 
+ 	if (cs->target) {
+ 		free(cs->target->t);
+-- 
+2.27.0
+
diff --git a/iptables.spec b/iptables.spec
index 07f7cc39cc454a1da18c7a9a0badf61e57d9edb9..c1a8c6b4a8bd7531c5630c019391c313e2c5e777 100644
--- a/iptables.spec
+++ b/iptables.spec
@@ -2,7 +2,7 @@
 %global legacy_actions %{_libexecdir}/initscripts/legacy-actions
 Name:		  iptables
 Version:	  1.8.9
-Release:	  6
+Release:	  7
 Summary:	  IP packet filter administration utilities
 License:	  GPL-2.0-only and Artistic-2.0
 URL:		  https://www.netfilter.org/
@@ -29,6 +29,7 @@ Patch12:          backport-libiptc-Fix-for-another-segfault-due-to-chain-index-N
 Patch13:          backport-libxtables-Fix-memleak-of-matches-udata.patch
 Patch14:          backport-xshared-Fix-parsing-of-empty-string-arg-in-c-option.patch
 Patch15:          tests-extensions-add-some-testcases.patch
+Patch16:          backport-zero-freed-pointers-in-ebt_cs_clean.patch
 
 
 BuildRequires:    bison flex gcc kernel-headers libpcap-devel libselinux-devel systemd
@@ -346,6 +347,12 @@ fi
 %{_datadir}/xtables/iptables.xslt
 
 %changelog
+* Fri Sep 13 2024 zhangyaqi <zhangyaqi@kylinos.cn> - 1.8.9-7
+- Type: enhancement
+- ID: NA
+- SUG: NA
+- DESC: ebtables: Zero freed pointers in ebt_cs_clean()
+
 * Mon Aug 19 2024 yanglu <yanglu72@h-partners.com> - 1.8.9-6
 - Type: enhancement
 - ID: NA