diff --git a/backport-fix-cgtop-sscanf-return-code-checks.patch b/backport-fix-cgtop-sscanf-return-code-checks.patch
new file mode 100644
index 0000000000000000000000000000000000000000..59ddb479ec417734cf8e6c6c1441ca28f45c7677
--- /dev/null
+++ b/backport-fix-cgtop-sscanf-return-code-checks.patch
@@ -0,0 +1,30 @@
+From bab356f5a0b8d4a43a71076c2333ff4da7ed737e Mon Sep 17 00:00:00 2001
+From: Luca Boccassi <bluca@debian.org>
+Date: Fri, 19 Jan 2024 15:12:49 +0000
+Subject: [PATCH] cgtop: fix sscanf return code checks
+
+sscanf can return EOF on error, so check that we get a result instead.
+
+CodeQL#2386 and CodeQL#2387
+
+(cherry picked from commit 204d52c4b79eb19d2919cb5214e999c58a6679c6)
+---
+ src/cgtop/cgtop.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/cgtop/cgtop.c b/src/cgtop/cgtop.c
+index e34da7cf728..ca514554408 100644
+--- a/src/cgtop/cgtop.c
++++ b/src/cgtop/cgtop.c
+@@ -310,9 +310,9 @@ static int process(
+ 
+                         if (all_unified) {
+                                 while (!isempty(l)) {
+-                                        if (sscanf(l, "rbytes=%" SCNu64, &k))
++                                        if (sscanf(l, "rbytes=%" SCNu64, &k) == 1)
+                                                 rd += k;
+-                                        else if (sscanf(l, "wbytes=%" SCNu64, &k))
++                                        else if (sscanf(l, "wbytes=%" SCNu64, &k) == 1)
+                                                 wr += k;
+ 
+                                         l += strcspn(l, WHITESPACE);
diff --git a/systemd.spec b/systemd.spec
index 78201c4b22221d7fef8aa024ed0dfc3c1d357816..8d07d0f12153307eec73574391fab5280c061a5f 100644
--- a/systemd.spec
+++ b/systemd.spec
@@ -25,7 +25,7 @@
 Name:           systemd
 Url:            https://systemd.io/
 Version:        255
-Release:        19
+Release:        20
 License:        MIT and LGPLv2+ and GPLv2+
 Summary:        System and Service Manager
 
@@ -68,6 +68,7 @@ Patch6014:      backport-bash-completion-add-systemctl-service-log-level-target.
 Patch6015:      backport-fix-log-message-not-match-glob-patterns-passed-to-disable-command.patch
 Patch6016:	backport-main-pass-the-right-error-variable.patch
 Patch6017:  	backport-sd-event-fix-fd-leak-when-fd-is-owned-by-IO-event-source.patch
+Patch6018:  	backport-fix-cgtop-sscanf-return-code-checks.patch
 
 Patch9008:      update-rtc-with-system-clock-when-shutdown.patch
 Patch9009:      udev-add-actions-while-rename-netif-failed.patch
@@ -1657,6 +1658,9 @@ fi
 %{_unitdir}/veritysetup.target
 
 %changelog
+* Fri Jul 26 2024 Han Jinpeng <hanjinpeng@kylinos.cn> - 255-20
+- backport: fix cgtop sscanf return code checks
+
 * Tue Jul 2 2024 dufuhang <dufuhang@kylinos.cn> - 255-19
 - sd-event: fix fd leak when fd is owned by IO event source