diff --git a/0008-fix-CVE-2025-6019-dont-allow-suid-on-fs-resize.patch b/0008-fix-CVE-2025-6019-dont-allow-suid-on-fs-resize.patch
new file mode 100644
index 0000000000000000000000000000000000000000..6cff01db3b69bd5909e9596b8a48365afcdfdb88
--- /dev/null
+++ b/0008-fix-CVE-2025-6019-dont-allow-suid-on-fs-resize.patch
@@ -0,0 +1,26 @@
+From 46b54414f66e965e3c37f8f51e621f96258ae22e Mon Sep 17 00:00:00 2001
+From: Thomas Blume <Thomas.Blume@suse.com>
+Date: Fri, 16 May 2025 14:27:10 +0200
+Subject: [PATCH] Don't allow suid and dev set on fs resize
+
+Fixes: CVE-2025-6019
+---
+ src/plugins/fs/generic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/plugins/fs/generic.c b/src/plugins/fs/generic.c
+index 69333944..4a0c7cf8 100644
+--- a/src/plugins/fs/generic.c
++++ b/src/plugins/fs/generic.c
+@@ -683,7 +683,7 @@ static gchar* fs_mount (const gchar *device, gchar *fstype, gboolean read_only,
+                              "Failed to create temporary directory for mounting '%s'.", device);
+                 return NULL;
+             }
+-            ret = bd_fs_mount (device, mountpoint, fstype, read_only ? "ro" : NULL, NULL, &l_error);
++            ret = bd_fs_mount (device, mountpoint, fstype, read_only ? "nosuid,nodev,ro" : "nosuid,nodev", NULL, &l_error);
+             if (!ret) {
+                 g_propagate_prefixed_error (error, l_error, "Failed to mount '%s': ", device);
+                 g_rmdir (mountpoint);
+-- 
+2.33.0
+
diff --git a/libblockdev.spec b/libblockdev.spec
index c4615f1cd59e2eaab8b6555d13b7db4ac508a3d0..7eb7ceb1c4ae23d92c4fafbc13a0f99d8a6347be 100644
--- a/libblockdev.spec
+++ b/libblockdev.spec
@@ -3,7 +3,7 @@
 
 Name:    libblockdev
 Version: 3.0.4
-Release: 9
+Release: 10
 Summary: libblockdev is a C library supporting GObject introspection for manipulation of block devices
 License: LGPLv2+
 URL:     https://github.com/storaged-project/libblockdev
@@ -16,6 +16,7 @@ Patch4: 0004-nvme-Fix-potential-memory-leak.patch
 Patch5: 0005-part-Fix-potential-double-free-when-getting-parttype.patch
 Patch6: 0006-crypto-Fix-double-free-in-bd_crypto_luks_remove_key.patch
 Patch7: 0007-part-Fix-copy-paste-bug-in-bd_part_spec_copy.patch
+Patch8: 0008-fix-CVE-2025-6019-dont-allow-suid-on-fs-resize.patch
 
 BuildRequires: make glib2-devel libyaml-devel libbytesize-devel parted-devel libuuid-devel ndctl-devel device-mapper-devel
 BuildRequires: device-mapper-devel systemd-devel nss-devel volume_key-devel >= 0.3.9-7 libblkid-devel libmount-devel
@@ -165,6 +166,12 @@ find %{buildroot} -type f -name "*.la" | xargs %{__rm}
 
 
 %changelog
+* Mon Jun 23 2025 zhangjian <zhangjian496@huawei.com> - 3.0.4-10
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:fix CVE-2025-6019
+
 * Mon Aug 5 2024 cenhuilin <cenhuilin@kylinos.cn> - 3.0.4-9
 - Type:bugfix
 - ID:NA