diff --git a/backport-CVE-2023-7008.patch b/backport-CVE-2023-7008.patch
new file mode 100644
index 0000000000000000000000000000000000000000..1d626c895538f1b6177f41b6ebd43619a1b93556
--- /dev/null
+++ b/backport-CVE-2023-7008.patch
@@ -0,0 +1,39 @@
+From 3b4cc1437b51fcc0b08da8cc3f5d1175eed25eb1 Mon Sep 17 00:00:00 2001
+From: Michal Sekletar <msekleta@redhat.com>
+Date: Wed, 20 Dec 2023 16:44:14 +0100
+Subject: [PATCH] resolved: actually check authenticated flag of SOA
+ transaction
+
+Fixes #25676
+
+Conflict:NA
+Reference:https://github.com/systemd/systemd/commit/3b4cc1437b51fcc0b08da8cc3f5d1175eed25eb1
+---
+ src/resolve/resolved-dns-transaction.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c
+index 696fce532a..fe88e502e7 100644
+--- a/src/resolve/resolved-dns-transaction.c
++++ b/src/resolve/resolved-dns-transaction.c
+@@ -2808,7 +2808,7 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord *
+                         if (r == 0)
+                                 continue;
+ 
+-                        return FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
++                        return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
+                 }
+ 
+                 return true;
+@@ -2835,7 +2835,7 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord *
+                         /* We found the transaction that was supposed to find the SOA RR for us. It was
+                          * successful, but found no RR for us. This means we are not at a zone cut. In this
+                          * case, we require authentication if the SOA lookup was authenticated too. */
+-                        return FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
++                        return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
+                 }
+ 
+                 return true;
+-- 
+2.33.0
+
diff --git a/systemd.spec b/systemd.spec
index 2508190b30cb291f6869eb9ffc133327aca208fd..7208029b95b9ed94a5661d3a4cc15b254c0ac6ba 100644
--- a/systemd.spec
+++ b/systemd.spec
@@ -25,7 +25,7 @@
 Name:           systemd
 Url:            https://systemd.io/
 Version:        255
-Release:        40
+Release:        41
 License:        MIT and LGPLv2+ and GPLv2+
 Summary:        System and Service Manager
 
@@ -102,6 +102,7 @@ Patch6648:      backport-shutdown-close-DM-block-device-before-issuing-DM_DEV.pa
 Patch6649:      backport-execute-free-syscall_log-hashmap-when-done.patch
 Patch6650:      backport-logind-let-system-wide-idle-begin-at-the-time-logind.patch
 Patch6651:      backport-core-fix-assert-when-AddDependencyUnitFiles-is-calle.patch
+Patch6652:      backport-CVE-2023-7008.patch
 
 Patch9008:      update-rtc-with-system-clock-when-shutdown.patch
 Patch9009:      udev-add-actions-while-rename-netif-failed.patch
@@ -1688,6 +1689,9 @@ fi
 %{_unitdir}/veritysetup.target
 
 %changelog
+* Mon Apr 28 2025 zhangyao <zhangyao108@huawei.com> - 255-41
+- actually check authenticated flag of SOA transaction in resolved
+
 * Fri Apr 18 2025 wangyuhang <wangyuhang27@huawei.com> - 255-40
 - sync patch from systemd community