diff --git a/udisks-2.10.91-udiskslinuxfilesystemhelpers_nodev,nosuid.patch b/udisks-2.10.91-udiskslinuxfilesystemhelpers_nodev,nosuid.patch
new file mode 100644
index 0000000000000000000000000000000000000000..d6b0f9a463e4658980d3a625df86fa1e0100a0a8
--- /dev/null
+++ b/udisks-2.10.91-udiskslinuxfilesystemhelpers_nodev,nosuid.patch
@@ -0,0 +1,43 @@
+From 5e7277debea926370e587408517560afe87d28c9 Mon Sep 17 00:00:00 2001
+From: Tomas Bzatek <tbzatek@redhat.com>
+Date: Wed, 4 Jun 2025 15:26:46 +0200
+Subject: [PATCH] udiskslinuxfilesystemhelpers: Mount private mounts with
+ 'nodev,nosuid'
+
+The private mount done in take_filesystem_ownership() should always
+default to 'nodev,nosuid' for security and 'errors=remount-ro' for
+selected filesystem types to handle an corrupted filesystem. This is
+consistent with mount options calculation for regular mounts.
+---
+ src/udiskslinuxfilesystemhelpers.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/src/udiskslinuxfilesystemhelpers.c b/src/udiskslinuxfilesystemhelpers.c
+index 7c5fc037c4..9eb7742c77 100644
+--- a/src/udiskslinuxfilesystemhelpers.c
++++ b/src/udiskslinuxfilesystemhelpers.c
+@@ -123,6 +123,7 @@ take_filesystem_ownership (const gchar  *device,
+ 
+ {
+   gchar *mountpoint = NULL;
++  const gchar *mount_opts;
+   GError *local_error = NULL;
+   gboolean unmount = FALSE;
+   gboolean success = TRUE;
+@@ -151,8 +152,15 @@ take_filesystem_ownership (const gchar  *device,
+               goto out;
+             }
+ 
++          mount_opts = "nodev,nosuid";
++          if (g_strcmp0 (fstype, "ext2") == 0 ||
++              g_strcmp0 (fstype, "ext3") == 0 ||
++              g_strcmp0 (fstype, "ext4") == 0 ||
++              g_strcmp0 (fstype, "jfs") == 0)
++            mount_opts = "nodev,nosuid,errors=remount-ro";
++
+           /* TODO: mount to a private mount namespace */
+-          if (!bd_fs_mount (device, mountpoint, fstype, NULL, NULL, &local_error))
++          if (!bd_fs_mount (device, mountpoint, fstype, mount_opts, NULL, &local_error))
+             {
+               g_set_error (error, UDISKS_ERROR, UDISKS_ERROR_FAILED,
+                            "Cannot mount %s at %s: %s",
diff --git a/udisks2.spec b/udisks2.spec
index 98f3b1b6d049fcbf1b6867b3918633097af72a7c..d6cb17b3ddf3c8a8bfed839105228f7dc15525d0 100644
--- a/udisks2.spec
+++ b/udisks2.spec
@@ -58,7 +58,7 @@
 Name:    udisks2
 Summary: Disk Manager
 Version: 2.9.4
-Release: 6
+Release: 7
 License: GPL-2.0+ and LGPL-2.0+
 Group:   System Environment/Libraries
 URL:     https://github.com/storaged-project/udisks
@@ -66,6 +66,7 @@ Source0: https://github.com/storaged-project/udisks/releases/download/udisks-%{v
 Patch1:  0001-udiskslinuxmountoptions-Do-not-free-static-daemon-resources.patch
 Patch2:  0002-udisksctl-Guard-object-lookup.patch
 Patch3:  0003-udiskslinuxmanager-use-dbus-interface-after-free.patch
+Patch4:  udisks-2.10.91-udiskslinuxfilesystemhelpers_nodev,nosuid.patch
 
 BuildRequires: glib2-devel >= %{glib2_version}
 BuildRequires: gobject-introspection-devel >= %{gobject_introspection_version}
@@ -438,6 +439,9 @@ udevadm trigger
 %endif
 
 %changelog
+* Sat Jun 21 2025 Funda Wang <fundawang@yeah.net> - 2.9.4-7
+- Harden temporary private mounts (CVE-2025-6019)
+
 * Tue Jun 18 2024 cenhuilin <cenhuilin@kylinos.cn> - 2.9.4-6
 - udiskslinuxmanager:use dbus interface after free