diff --git a/backport-Make-sure-invalid-krb5-context-is-not-used.patch b/backport-Make-sure-invalid-krb5-context-is-not-used.patch
new file mode 100644
index 0000000000000000000000000000000000000000..cdf8c3ea63509c26d8aab611e95039201a2791f6
--- /dev/null
+++ b/backport-Make-sure-invalid-krb5-context-is-not-used.patch
@@ -0,0 +1,33 @@
+From bdfb92012d6dec2999469d483ba67d6c2521a078 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Thu, 21 Nov 2024 09:23:36 +0100
+Subject: [PATCH] ldap_child: make sure invalid krb5 context is not used -
+ 2.9.4
+
+Resolves: https://github.com/SSSD/sssd/issues/7715
+---
+ src/util/sss_krb5.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c
+index 3f57e5b268f..0b83142ddfc 100644
+--- a/src/util/sss_krb5.c
++++ b/src/util/sss_krb5.c
+@@ -115,6 +115,7 @@ errno_t select_principal_from_keytab(TALLOC_CTX *mem_ctx,
+ 
+     kerr = sss_krb5_init_context(&krb_ctx);
+     if (kerr) {
++	krb_ctx = NULL;
+         DEBUG(SSSDBG_OP_FAILURE, "Failed to init Kerberos context\n");
+         ret = EFAULT;
+         goto done;
+@@ -248,7 +249,7 @@ errno_t select_principal_from_keytab(TALLOC_CTX *mem_ctx,
+     }
+ 
+ done:
+-    if (ret != EOK) {
++    if (ret != EOK && krb_ctx != NULL) {
+         DEBUG(SSSDBG_FATAL_FAILURE, "Failed to read keytab [%s]: %s\n",
+                KEYTAB_CLEAN_NAME, strerror(ret));
+         sss_log(SSS_LOG_ERR, "Failed to read keytab [%s]: %s\n",
+
diff --git a/sssd.spec b/sssd.spec
index 9ed3754743607644ef18d90c3b5922674093667d..820d2f43dd1bcde4c93746a065be902686d3ad8f 100644
--- a/sssd.spec
+++ b/sssd.spec
@@ -1,6 +1,6 @@
 Name: sssd
 Version: 2.2.2
-Release: 19
+Release: 20
 Summary: System Security Services Daemon
 License: GPLv3+ and LGPLv3+
 URL: https://pagure.io/SSSD/sssd/
@@ -21,6 +21,7 @@ Patch11: backport-avoid-NULL-deref-in-monitor_service_shutdow.patch
 Patch12: backport-UTILS-inotify-avoid-potential-NULL-deref.patch
 Patch13: backport-RESPONDER-use-proper-context-for-getDomains.patch
 Patch14: backport-TOOLS-mistype-fix.patch
+Patch15: backport-Make-sure-invalid-krb5-context-is-not-used.patch
 
 Requires: python3-sssd = %{version}-%{release}
 Requires: libldb
@@ -594,6 +595,9 @@ fi
                                 %{_libdir}/%{name}/modules/libwbclient.so
 
 %changelog
+* Thu Dec 05 2024 wangjiang <app@cameyan.com> - 2.2.2-20
+- backport make sure invalid krb5 context is not used
+
 * Tue Dec 03 2024 wangjiang <app@cameyan.com> - 2.2.2-19
 - backport upstream patches