diff --git a/backport-CVE-2021-28041.patch b/backport-CVE-2021-28041.patch
new file mode 100644
index 0000000000000000000000000000000000000000..7ba8c70cb6ed944b3ef40972fd6d6311ea804060
--- /dev/null
+++ b/backport-CVE-2021-28041.patch
@@ -0,0 +1,16 @@
+Reference:https://src.fedoraproject.org/rpms/openssh/blob/f33/f/openssh-8.4p1-cve-2021-28041.patch
+diff --git a/ssh-agent.c b/ssh-agent.c
+index 6e536e5..3bac42d 100644
+--- a/ssh-agent.c
++++ b/ssh-agent.c
+@@ -496,6 +496,7 @@ process_add_identity(SocketEntry *e)
+ 				goto err;
+ 			}
+ 			free(ext_name);
++			ext_name = NULL;
+ 			break;
+ 		default:
+ 			error("%s: Unknown constraint %d", __func__, ctype);
+-- 
+1.8.3.1
+
diff --git a/openssh.spec b/openssh.spec
index 3055881ad91597506cda55c3b855a26de66e560f..067ad8662eb40ca4974b87d5e38ec27cd950a9ff 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -6,7 +6,7 @@
 %{?no_gtk2:%global gtk2 0}
 
 %global sshd_uid    74
-%global openssh_release 13
+%global openssh_release 14
 
 Name:           openssh
 Version:        8.2p1
@@ -95,6 +95,7 @@ Patch62:	add-strict-scp-check-for-CVE-2020-15778.patch
 Patch63:        backport-move-closefrom-to-before-first-malloc.patch	
 Patch64:        backport-CVE-2021-41617-1.patch
 Patch65:        backport-CVE-2021-41617-2.patch
+Patch66:        backport-CVE-2021-28041.patch
 
 Requires:       /sbin/nologin
 Requires:       libselinux >= 2.3-5 audit-libs >= 1.0.8
@@ -262,6 +263,7 @@ popd
 %patch63 -p1
 %patch64 -p1
 %patch65 -p1
+%patch66 -p1
 
 autoreconf
 pushd pam_ssh_agent_auth-0.10.3
@@ -473,6 +475,12 @@ getent passwd sshd >/dev/null || \
 %attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
 
 %changelog
+* Wed Dec 15 2021 renmingshuai<renmingshuai@huawei.com> - 8.2P1-14
+- Type:cves
+- CVE:CVE-2021-28041
+- SUG:NA
+- DESC:fix CVE-2021-28041
+
 * Fri Oct 08 2021 renmingshuai<renmingshuai@huawei.com> - 8.2P1-13
 - Type:cves
 - CVE:CVE-2021-41617