diff --git a/backport-PAM-fix-issue-found-by-Coverity.patch b/backport-PAM-fix-issue-found-by-Coverity.patch
new file mode 100644
index 0000000000000000000000000000000000000000..7cb11fed4447e544e1110c0e758ab15c13da96cd
--- /dev/null
+++ b/backport-PAM-fix-issue-found-by-Coverity.patch
@@ -0,0 +1,36 @@
+From c36c320d12e48178b041d9859e3035f0c65c4909 Mon Sep 17 00:00:00 2001
+From: Alexey Tikhonov <atikhono@redhat.com>
+Date: Tue, 14 Jan 2025 12:35:43 +0100
+Subject: [PATCH] PAM: fix issue found by Coverity
+
+```
+1614            D(("Illegal task [%#x]", task));
+       9. out_of_scope: Variable buf goes out of scope.
+
+CID 530049: (#1 of 1): Resource leak (RESOURCE_LEAK)
+10. leaked_storage: Variable rd going out of scope leaks the storage rd.data points to.
+1615            return PAM_SYSTEM_ERR;
+1616    }
+```
+
+Reviewed-by: Justin Stephenson <jstephen@redhat.com>
+---
+ src/sss_client/pam_sss.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
+index 600c3616a..9aec74ce3 100644
+--- a/src/sss_client/pam_sss.c
++++ b/src/sss_client/pam_sss.c
+@@ -1612,7 +1612,7 @@ static int send_and_receive(pam_handle_t *pamh, struct pam_items *pi,
+             break;
+         default:
+             D(("Illegal task [%#x]", task));
+-            return PAM_SYSTEM_ERR;
++            pam_status = PAM_SYSTEM_ERR;
+     }
+ 
+ done:
+-- 
+2.43.0
+
diff --git a/sssd.spec b/sssd.spec
index 3855595e221172c218618e084dae66c9a61cbf8d..74cdaaaa9e56ef025641011b1a60dbc1b12651b2 100644
--- a/sssd.spec
+++ b/sssd.spec
@@ -8,7 +8,7 @@
 
 Name: sssd
 Version: 2.9.7
-Release: 3
+Release: 4
 Summary: System Security Services Daemon
 License: GPL-3.0-or-later
 URL: https://github.com/SSSD/sssd/
@@ -17,6 +17,7 @@ Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{versio
 Patch0000: sssd-openEuler-replace-version.patch
 Patch0001: backport-Make-sure-invalid-krb5-context-is-not-used.patch
 Patch0002: backport-mistype-fix.patch
+Patch0003: backport-PAM-fix-issue-found-by-Coverity.patch
 
 Requires: sssd-ad = %{version}-%{release}
 Requires: sssd-common = %{version}-%{release}
@@ -939,6 +940,9 @@ fi
 %systemd_postun_with_restart sssd.service
 
 %changelog
+* Wed Aug 13 2025 Linux_zhang <zhangruifang@h-partners.com> - 2.9.7-4
+- backport upstream patches
+
 * Tue Jul 15 2025 hugel <gengqihu2@h-partners.com> - 2.9.7-3
 - remove rpath in sssd_kcm