diff --git a/0017-CVE-2025-6019.patch b/0017-CVE-2025-6019.patch
new file mode 100644
index 0000000000000000000000000000000000000000..d59612f4bd8a0897f73319ec793b06debf824819
--- /dev/null
+++ b/0017-CVE-2025-6019.patch
@@ -0,0 +1,23 @@
+From f6ae95ad8652857fdcb2f5a3bda602fb14c48bbd Mon Sep 17 00:00:00 2001
+From: Thomas Blume <Thomas.Blume@suse.com>
+Date: Fri, 16 May 2025 14:27:10 +0200
+Subject: [PATCH] Don't allow suid and dev set on fs resize
+
+Fixes: CVE-2025-6019
+---
+ src/plugins/fs/generic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/plugins/fs/generic.c b/src/plugins/fs/generic.c
+index 89d8714a9..f68d7ca12 100644
+--- a/src/plugins/fs/generic.c
++++ b/src/plugins/fs/generic.c
+@@ -410,7 +410,7 @@ static gboolean xfs_resize_device (const gchar *device, guint64 new_size, const
+                              "before resizing it.", device);
+                 return FALSE;
+             }
+-            ret = bd_fs_mount (device, mountpoint, "xfs", NULL, NULL, error);
++            ret = bd_fs_mount (device, mountpoint, "xfs", "nosuid,nodev", NULL, error);
+             if (!ret) {
+                 g_prefix_error (error, "Failed to mount '%s' before resizing it: ", device);
+                 return FALSE;
diff --git a/libblockdev.spec b/libblockdev.spec
index 040e8fb7f2a301b6a16fd6322f3ff454ca5dad3f..eb5daf0cc21829db6c873560f89a4034a46f30ae 100644
--- a/libblockdev.spec
+++ b/libblockdev.spec
@@ -3,7 +3,7 @@
 
 Name:    libblockdev
 Version: 2.24
-Release: 8
+Release: 9
 Summary: libblockdev is a C library supporting GObject introspection for manipulation of block devices
 License: LGPLv2+
 URL:     https://github.com/storaged-project/libblockdev
@@ -25,6 +25,7 @@ Patch13: 0013-lvm-dbus-Fix-memory-leak.patch
 Patch14: 0014-mdraid-Fix-memory-leak.patch
 Patch15: 0015-swap-Fix-memory-leak.patch
 Patch16: 0016-vdo-Do-not-use-g_memdup-in-bd_vdo_stats_copy.patch
+Patch17: 0017-CVE-2025-6019.patch
 
 BuildRequires: glib2-devel libyaml-devel libbytesize-devel parted-devel libuuid-devel ndctl-devel device-mapper-devel
 BuildRequires: device-mapper-devel systemd-devel nss-devel volume_key-devel >= 0.3.9-7 libblkid-devel libmount-devel
@@ -187,6 +188,9 @@ find %{buildroot} -type f -name "*.la" | xargs %{__rm}
 
 
 %changelog
+* Fri Jun 20 2025 Funda Wang <fundawang@yeah.net> - 2.24-9
+- fix CVE-2025-6019
+
 * Tue Sep 28 2021 Wenchao Hao <haowenchao@huawei.com> - 2.24-8
 - NOP:nothing but to make it able to sync between differnt branches