diff --git a/backport-Make-sure-invalid-krb5-context-is-not-used.patch b/backport-Make-sure-invalid-krb5-context-is-not-used.patch
new file mode 100644
index 0000000000000000000000000000000000000000..1d874e0196534f634af9f2319d9bf39dc830865b
--- /dev/null
+++ b/backport-Make-sure-invalid-krb5-context-is-not-used.patch
@@ -0,0 +1,33 @@
+From bdfb92012d6dec2999469d483ba67d6c2521a078 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Thu, 21 Nov 2024 09:23:36 +0100
+Subject: [PATCH] ldap_child: make sure invalid krb5 context is not used -
+ 2.9.4
+
+Resolves: https://github.com/SSSD/sssd/issues/7715
+---
+ src/util/sss_krb5.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c
+index 3f57e5b268f..0b83142ddfc 100644
+--- a/src/util/sss_krb5.c
++++ b/src/util/sss_krb5.c
+@@ -140,6 +140,7 @@ errno_t select_principal_from_keytab(TALLOC_CTX *mem_ctx,
+ 
+     kerr = sss_krb5_init_context(&krb_ctx);
+     if (kerr) {
++        krb_ctx = NULL;
+         error_message = "Failed to init Kerberos context";
+         ret = EFAULT;
+         goto done;
+@@ -269,7 +270,7 @@ errno_t select_principal_from_keytab(TALLOC_CTX *mem_ctx,
+     }
+ 
+ done:
+-    if (ret != EOK) {
++    if (ret != EOK && krb_ctx != NULL) {
+         DEBUG(SSSDBG_FATAL_FAILURE, "Failed to read keytab [%s]: %s\n",
+               sss_printable_keytab_name(krb_ctx, keytab_name),
+               (error_message ? error_message : sss_strerror(ret)));
+
diff --git a/sssd.spec b/sssd.spec
index e838b23c04c5940099e09eaf6f9365616a0775aa..126cf50b7a7a835e3c29bb9b8ad76d06c28196f5 100644
--- a/sssd.spec
+++ b/sssd.spec
@@ -8,7 +8,7 @@
 
 Name: sssd
 Version: 2.9.4
-Release: 10
+Release: 11
 Summary: System Security Services Daemon
 License: GPL-3.0-or-later
 URL: https://github.com/SSSD/sssd/
@@ -25,6 +25,7 @@ Patch0008: backport-Update-sssd.in-to-remove-f-option-from-sysv-init-scr.patch
 Patch0009: backport-Missing-dns_update_per_family-option.patch
 Patch0010: backport-TOOLS-mistype-fix.patch
 Patch0011: backport-ad-honor-ad_use_ldaps-setting-with-ad_machine_pw_ren.patch
+Patch0012: backport-Make-sure-invalid-krb5-context-is-not-used.patch
 
 Requires: sssd-ad = %{version}-%{release}
 Requires: sssd-common = %{version}-%{release}
@@ -923,6 +924,9 @@ fi
 %systemd_postun_with_restart sssd.service
 
 %changelog
+* Thu Dec 05 2024 wangjiang <app@cameyan.com> - 2.9.4-11
+- backport make sure invalid krb5 context is not used
+
 * Mon Dec 02 2024 wangjiang <app@cameyan.com> - 2.9.4-10
 - backport upstream patches