diff --git a/backport-In-PKINIT-check-for-null-PKCS7-enveloped-fields.patch b/backport-In-PKINIT-check-for-null-PKCS7-enveloped-fields.patch
new file mode 100644
index 0000000000000000000000000000000000000000..ff7494570d4fdba5bc2b68be3de34ba6f5ded66b
--- /dev/null
+++ b/backport-In-PKINIT-check-for-null-PKCS7-enveloped-fields.patch
@@ -0,0 +1,36 @@
+From 48ccd81656381522d1f9ccb8705c13f0266a46ab Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Sat, 25 Nov 2023 11:04:56 -0500
+Subject: [PATCH] In PKINIT, check for null PKCS7 enveloped fields
+
+The PKCS7 ContentInfo content field and EncryptedContentInfo
+encryptedContent field are optional.  Check for null values in
+cms_envelopeddata_verify() before calling pkcs7_decrypt().  Reported
+by Bahaa Naamneh.
+
+ticket: 9107 (new)
+tags: pullup
+target_version: 1.21-next
+target_version: 1.20-next
+---
+ src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+index 453b1119a..15c6cd8c4 100644
+--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
++++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+@@ -2464,7 +2464,9 @@ cms_envelopeddata_verify(krb5_context context,
+     }
+ 
+     /* verify that the received message is PKCS7 EnvelopedData message */
+-    if (OBJ_obj2nid(p7->type) != NID_pkcs7_enveloped) {
++    if (OBJ_obj2nid(p7->type) != NID_pkcs7_enveloped ||
++        p7->d.enveloped == NULL ||
++        p7->d.enveloped->enc_data->enc_data == NULL) {
+         pkiDebug("Expected id-enveloped PKCS7 msg (received type = %d)\n",
+                  OBJ_obj2nid(p7->type));
+         krb5_set_error_message(context, retval, "wrong oid\n");
+-- 
+2.33.0
+
diff --git a/krb5.spec b/krb5.spec
index d6844c13f5b28103774fd4e38db12cf920e8bd1a..f4db69454fe7db5a7aef80ebed9310fd5b3bfe57 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -3,7 +3,7 @@
 
 Name:     krb5
 Version:  1.19.2
-Release:  13
+Release:  14
 Summary:  The Kerberos network authentication protocol
 License:  MIT
 URL:      http://web.mit.edu/kerberos/www/
@@ -45,7 +45,7 @@ Patch21: backport-Fix-unimportant-memory-leaks.patch
 Patch22: backport-Add-and-use-ts_interval-helper.patch
 Patch23: backport-Avoid-small-read-overrun-in-UTF8-normalization.patch
 Patch24: backport-Use-memmove-in-Unicode-functions.patch
-
+Patch25: backport-In-PKINIT-check-for-null-PKCS7-enveloped-fields.patch
 
 BuildRequires:  gettext
 BuildRequires:  gcc make automake autoconf pkgconfig pam-devel libselinux-devel byacc
@@ -338,6 +338,9 @@ make -C src check || :
 
 
 %changelog
+* Thu Jan 25 2024 zhangruifang <zhangruifang1@h-partners.com> - 1.19.2-14
+- Backport patches from upstream community
+
 * Fri Dec 29 2023 xuraoqing<xuraoqing@huawei.com> - 1.19.2-13
 - backport patches