diff --git a/CVE-2025-1919.patch b/CVE-2025-1919.patch
new file mode 100644
index 0000000000000000000000000000000000000000..0f12acf11f34a34e9fbb5c5a3303daada0886469
--- /dev/null
+++ b/CVE-2025-1919.patch
@@ -0,0 +1,80 @@
+From 54214171fceb920a4037a70ece60d478cd43e2d3 Mon Sep 17 00:00:00 2001
+From: zhaoshun <zhaoshun@cqsoftware.com.cn>
+Date: Tue, 29 Jul 2025 17:45:55 +0800
+Subject: [PATCH] CVE-2025-1919
+
+---
+ .../mojo/common/media_type_converters.cc      | 28 +++++++++++++++----
+ 1 file changed, 23 insertions(+), 5 deletions(-)
+
+diff --git a/src/3rdparty/chromium/media/mojo/common/media_type_converters.cc b/src/3rdparty/chromium/media/mojo/common/media_type_converters.cc
+index 933774836..f9e3ecc46 100644
+--- a/src/3rdparty/chromium/media/mojo/common/media_type_converters.cc
++++ b/src/3rdparty/chromium/media/mojo/common/media_type_converters.cc
+@@ -4,16 +4,16 @@
+
+ #include "media/mojo/common/media_type_converters.h"
+
+-#include <stddef.h>
+-#include <stdint.h>
+ #include <memory>
+
++#include "base/numerics/checked_math.h"
+ #include "base/numerics/safe_conversions.h"
+ #include "media/base/audio_buffer.h"
+ #include "media/base/audio_decoder_config.h"
+ #include "media/base/cdm_key_information.h"
+ #include "media/base/decoder_buffer.h"
+ #include "media/base/decrypt_config.h"
++#include "media/base/sample_format.h"
+ #include "media/base/encryption_scheme.h"
+ #include "media/base/subsample_entry.h"
+ #include "mojo/public/cpp/system/buffer.h"
+
+@@ -151,7 +151,7 @@ TypeConverter<scoped_refptr<media::AudioBuffer>, media::mojom::AudioBufferPtr>::
+       static_cast<size_t>(input->channel_layout) > media::CHANNEL_LAYOUT_MAX ||
+       ChannelLayoutToChannelCount(input->channel_layout) !=
+           input->channel_count) {
+-    LOG(ERROR) << "Receive an invalid audio buffer, replace it with EOS.";
++    DLOG(ERROR) << "Receive an invalid audio buffer, replace it with EOS.";
+     return media::AudioBuffer::CreateEOSBuffer();
+   }
+ 
+@@ -163,14 +163,32 @@ TypeConverter<scoped_refptr<media::AudioBuffer>, media::mojom::AudioBufferPtr>::
+         input->timestamp);
+   }
+ 
++  // Safe to cast, since we already checked `sample_format` doesn't exceed
++  // media::kSampleFormatMax above.
++  const size_t bytes_per_channel = SampleFormatToBytesPerChannel(
++      static_cast<media::SampleFormat>(input->sample_format));
++
++  // `bytes_per_channel` could be 0 if we received a kUnknownFormat. In that
++  // case, and in the case of a overflow below, `min_data_size` will be 0,
++  // and we will return an EOS below.
++  const size_t min_data_size =
++      base::CheckMul(input->frame_count,
++                     base::CheckMul(input->channel_count, bytes_per_channel))
++          .ValueOrDefault(0u);
++  if (input->data.size() < min_data_size) {
++    DLOG(ERROR) << "Received invalid AudioBuffer, replace it with EOS.";
++    return media::AudioBuffer::CreateEOSBuffer();
++  }
++
+   // Setup channel pointers.  AudioBuffer::CopyFrom() will only use the first
+   // one in the case of interleaved data.
+   std::vector<const uint8_t*> channel_ptrs(input->channel_count, nullptr);
+   const size_t size_per_channel = input->data.size() / input->channel_count;
+   DCHECK_EQ(0u, input->data.size() % input->channel_count);
+-  for (int i = 0; i < input->channel_count; ++i)
++  for (int i = 0; i < input->channel_count; ++i) {
+     channel_ptrs[i] = input->data.data() + i * size_per_channel;
+-
++  }
++  
+   return media::AudioBuffer::CopyFrom(
+       input->sample_format, input->channel_layout, input->channel_count,
+       input->sample_rate, input->frame_count, &channel_ptrs[0],
+-- 
+2.43.5
+
diff --git a/qt5-qtwebengine.spec b/qt5-qtwebengine.spec
index 1192bc73c43019bccb13776c7df46d0aa384052b..45ff2a5f20039aef2bbf93b53fe86520de82b185 100644
--- a/qt5-qtwebengine.spec
+++ b/qt5-qtwebengine.spec
@@ -6,7 +6,7 @@
 
 Name:           qt5-qtwebengine
 Version:        5.11.1
-Release:        9
+Release:        10
 Summary:        Qt5 - QtWebEngine components
 License:        (LGPLv2 with exceptions or GPLv3 with exceptions) and BSD and LGPLv2+ and ASL 2.0 and IJG and MIT and GPLv2+ and ISC and OpenSSL and (MPLv1.1 or GPLv2 or LGPLv2)
 URL:            http://www.qt.io
@@ -45,6 +45,8 @@ Patch0009:      qtwebengine-everywhere-src-5.10.1-gcc8-alignof.patch
 ## bug48291 add for deepin manual
 Patch0010:      qtwebengine-everywhere-src-5.11.1-enable-64k-pagesize.patch
 
+Patch6000:      CVE-2025-1919.patch
+
 BuildRequires:  qt5-qtbase-devel qt5-qtbase-private-devel qt5-qtdeclarative-devel qt5-qtxmlpatterns-devel
 BuildRequires:  qt5-qtlocation-devel qt5-qtsensors-devel qt5-qtwebchannel-devel qt5-qttools-static
 BuildRequires:  qt5-qtquickcontrols2-devel ninja-build cmake bison flex git-core gperf libicu-devel
@@ -222,6 +224,9 @@ done
 %{_qt5_examplesdir}/
 
 %changelog
+* Wed Aug 13 2025 Zhang Yi <yizhang@cqsoftware.com.cn> - 5.11.1-10
+- Fix CVE-2025-1919
+
 * Wed Dec 22 2021 weidong <weidong@uniontech.com> - 5.11.1-9
 - Fix bug48291,enable 64k pagesize