diff --git a/backport-api-fix-seccomp_export_bpf_mem-out-of-bounds.patch b/backport-api-fix-seccomp_export_bpf_mem-out-of-bounds.patch
new file mode 100644
index 0000000000000000000000000000000000000000..bf4a9a13464bdb33b17e1965fe83d41ff33fdda1
--- /dev/null
+++ b/backport-api-fix-seccomp_export_bpf_mem-out-of-bounds.patch
@@ -0,0 +1,33 @@
+From e8dbc6b555fb936bdfb8ab86f9a45fda96a8b7a2 Mon Sep 17 00:00:00 2001
+From: Alyssa Ross <hi@alyssa.is>
+Date: Thu, 13 Feb 2025 12:05:17 +0100
+Subject: [PATCH] api: fix seccomp_export_bpf_mem out-of-bounds read
+
+*len is the length of the destination buffer, but program->blks is
+probably not anywhere near that long.  It's already been checked above
+that BPF_PGM_SIZE(program) is less than or equal to *len, so that's
+the correct value to use here to avoid either reading or writing too
+much.
+
+I noticed this because tests/11-basic-basic_errors started failing on
+musl after e797591 ("all: add seccomp_precompute() functionality").
+
+Signed-off-by: Alyssa Ross <hi@alyssa.is>
+Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+---
+ src/api.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/api.c b/src/api.c
+index adccef32..65a277a4 100644
+--- a/src/api.c
++++ b/src/api.c
+@@ -786,7 +786,7 @@ API int seccomp_export_bpf_mem(const scmp_filter_ctx ctx, void *buf,
+ 		if (BPF_PGM_SIZE(program) > *len)
+ 			rc = _rc_filter(-ERANGE);
+ 		else
+-			memcpy(buf, program->blks, *len);
++			memcpy(buf, program->blks, BPF_PGM_SIZE(program));
+ 	}
+ 	*len = BPF_PGM_SIZE(program);
diff --git a/libseccomp.spec b/libseccomp.spec
index 0bcafb1c0e30d5d19d218c7d1c26f3ce04ebe03c..31395010707724030d0ad0936b347ffa39759b57 100644
--- a/libseccomp.spec
+++ b/libseccomp.spec
@@ -1,11 +1,13 @@
 Name:		libseccomp
 Version:	2.6.0
-Release:        1
+Release:        2
 Summary:	Interface to the syscall filtering mechanism
 License:	LGPL-2.1-only
 URL:		https://github.com/seccomp/libseccomp
 Source0:	https://github.com/seccomp/libseccomp/releases/download/v%{version}/%{name}-%{version}.tar.gz
 
+Patch1:         backport-api-fix-seccomp_export_bpf_mem-out-of-bounds.patch
+
 BuildRequires:	gcc gperf
 
 %description
@@ -62,6 +64,9 @@ developing applications that use %{name}.
 %{_mandir}/man*/*
 
 %changelog
+* Mon Jul 21 2025 liuzhilin <liuzhilin@kylinos.cn> - 2.6.0-2
+- backport api: fix seccomp_export_bpf_mem out-of-bounds read
+
 * Wed Jan 29 2025 Funda Wang <fundawang@yeah.net> - 2.6.0-1
 - update to 2.6.0