diff --git a/Backport-Only-free-the-read-buffers-if-we-re-not-using-them.patch b/Backport-Only-free-the-read-buffers-if-we-re-not-using-them.patch
new file mode 100644
index 0000000000000000000000000000000000000000..41ea835d817e3e5d8c47e9fbfe7dee16f7c73a3d
--- /dev/null
+++ b/Backport-Only-free-the-read-buffers-if-we-re-not-using-them.patch
@@ -0,0 +1,72 @@
+From 0eda7f6cbef296ea43c7c6fffdde77ade067dcfa Mon Sep 17 00:00:00 2001
+From: Watson Ladd <watsonbladd@gmail.com>
+Date: Wed, 24 Apr 2024 11:26:56 +0100
+Subject: [PATCH] Only free the read buffers if we're not using them
+
+If we're part way through processing a record, or the application has
+not released all the records then we should not free our buffer because
+they are still needed.
+
+CVE-2024-4741
+
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/24395)
+
+(cherry picked from commit 704f725b96aa373ee45ecfb23f6abfe8be8d9177)
+---
+ ssl/record/rec_layer_s3.c | 9 +++++++++
+ ssl/record/record.h       | 1 +
+ ssl/ssl_lib.c             | 3 +++
+ 3 files changed, 13 insertions(+)
+
+diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
+index 3baf820..99602b6 100644
+--- a/ssl/record/rec_layer_s3.c
++++ b/ssl/record/rec_layer_s3.c
+@@ -81,6 +81,15 @@ int RECORD_LAYER_read_pending(const RECORD_LAYER *rl)
+     return SSL3_BUFFER_get_left(&rl->rbuf) != 0;
+ }
+ 
++int RECORD_LAYER_data_present(const RECORD_LAYER *rl)
++{
++    if (rl->rstate == SSL_ST_READ_BODY)
++        return 1;
++    if (RECORD_LAYER_processed_read_pending(rl))
++        return 1;
++    return 0;
++}
++
+ /* Checks if we have decrypted unread record data pending */
+ int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl)
+ {
+diff --git a/ssl/record/record.h b/ssl/record/record.h
+index 234656b..b60f71c 100644
+--- a/ssl/record/record.h
++++ b/ssl/record/record.h
+@@ -205,6 +205,7 @@ void RECORD_LAYER_release(RECORD_LAYER *rl);
+ int RECORD_LAYER_read_pending(const RECORD_LAYER *rl);
+ int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl);
+ int RECORD_LAYER_write_pending(const RECORD_LAYER *rl);
++int RECORD_LAYER_data_present(const RECORD_LAYER *rl);
+ void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl);
+ void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl);
+ int RECORD_LAYER_is_sslv2_record(RECORD_LAYER *rl);
+diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
+index 92bfaa3..846c55a 100644
+--- a/ssl/ssl_lib.c
++++ b/ssl/ssl_lib.c
+@@ -5472,6 +5472,9 @@ int SSL_free_buffers(SSL *ssl)
+     if (RECORD_LAYER_read_pending(rl) || RECORD_LAYER_write_pending(rl))
+         return 0;
+ 
++    if (RECORD_LAYER_data_present(rl))
++        return 0;
++
+     RECORD_LAYER_release(rl);
+     return 1;
+ }
+-- 
+2.33.0
+
diff --git a/Backport-Set-rlayer.packet-to-NULL-after-we-ve-finished-using.patch b/Backport-Set-rlayer.packet-to-NULL-after-we-ve-finished-using.patch
new file mode 100644
index 0000000000000000000000000000000000000000..ec05a5c2b6f2ef87cea9ac30fb02f88aa338e5e3
--- /dev/null
+++ b/Backport-Set-rlayer.packet-to-NULL-after-we-ve-finished-using.patch
@@ -0,0 +1,52 @@
+From 3bbd97e670147567e7f519971623f419340635b0 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Wed, 24 Apr 2024 11:33:41 +0100
+Subject: [PATCH 2/2] Set rlayer.packet to NULL after we've finished using it
+
+In order to ensure we do not have a UAF we reset the rlayer.packet pointer
+to NULL after we free it.
+
+CVE-2024-4741
+
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/24395)
+
+(cherry picked from commit d146349171101dec3a876c13eb7a6dea32ba62ba)
+---
+ ssl/record/rec_layer_s3.c | 6 ++++++
+ ssl/record/ssl3_buffer.c  | 2 ++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
+index 99602b6..b8def97 100644
+--- a/ssl/record/rec_layer_s3.c
++++ b/ssl/record/rec_layer_s3.c
+@@ -230,6 +230,12 @@ int ssl3_read_n(SSL *s, size_t n, size_t max, int extend, int clearold,
+         /* ... now we can act as if 'extend' was set */
+     }
+ 
++    if (!ossl_assert(s->rlayer.packet != NULL)) {
++        /* does not happen */
++        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
++        return -1;
++    }
++
+     len = s->rlayer.packet_length;
+     pkt = rb->buf + align;
+     /*
+diff --git a/ssl/record/ssl3_buffer.c b/ssl/record/ssl3_buffer.c
+index 97b0c26..1a10a7c 100644
+--- a/ssl/record/ssl3_buffer.c
++++ b/ssl/record/ssl3_buffer.c
+@@ -191,5 +191,7 @@ int ssl3_release_read_buffer(SSL *s)
+         OPENSSL_cleanse(b->buf, b->len);
+     OPENSSL_free(b->buf);
+     b->buf = NULL;
++    s->rlayer.packet = NULL;
++    s->rlayer.packet_length = 0;
+     return 1;
+ }
+-- 
+2.33.0
+
diff --git a/openssl.spec b/openssl.spec
index 6024be9e945390dea493f9cb7dd12539514e7784..83eaa4271ce577b224ab1173bb95054955670320 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -2,7 +2,7 @@
 Name:        openssl
 Epoch:       1
 Version:     3.0.12
-Release:     5
+Release:     6
 Summary:     Cryptography and SSL/TLS Toolkit
 License:     OpenSSL and SSLeay
 URL:         https://www.openssl.org/
@@ -38,6 +38,8 @@ Patch26:     backport-Extend-the-multi_resume-test-for-simultaneous-resump.patch
 Patch27:     backport-Hardening-around-not_resumable-sessions.patch
 Patch28:     backport-Add-a-test-for-session-cache-overflow.patch
 Patch29:     backport-CVE-2024-4603-Check-DSA-parameters-for-exce.patch
+Patch30:     Backport-Only-free-the-read-buffers-if-we-re-not-using-them.patch
+Patch31:     Backport-Set-rlayer.packet-to-NULL-after-we-ve-finished-using.patch
 
 BuildRequires: gcc gcc-c++ perl make lksctp-tools-devel coreutils util-linux zlib-devel
 Requires:    coreutils %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
@@ -238,6 +240,9 @@ make test || :
 %ldconfig_scriptlets libs
 
 %changelog
+* Wed May 29 2024 Zhao Mengmeng <zhaomengmeng@kylinos.cn> -1:3.0.12-6
+- fix CVE-2024-4741
+
 * Fri May 17 2024 cenhuilin <cenhuilin@kylinos.cn> - 1:3.0.12-5
 - fix CVE-2024-4603