diff --git a/0001-fix-cve-CVE-2025-24528.patch b/0001-fix-cve-CVE-2025-24528.patch
new file mode 100644
index 0000000000000000000000000000000000000000..e88c5253d113e8ac8bf798d5c80e5b4932bd1057
--- /dev/null
+++ b/0001-fix-cve-CVE-2025-24528.patch
@@ -0,0 +1,48 @@
+From 7552823f4dcc261b50921781c3a84852f4c421d8 Mon Sep 17 00:00:00 2001
+From: zhuhongbo <zhuhongbo@uniontech.com>
+Date: Tue, 25 Feb 2025 09:40:23 +0800
+Subject: [PATCH] fix cve CVE-2025-24528
+
+---
+ src/lib/kdb/kdb_log.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/src/lib/kdb/kdb_log.c b/src/lib/kdb/kdb_log.c
+index 6466417..9ae94b2 100644
+--- a/src/lib/kdb/kdb_log.c
++++ b/src/lib/kdb/kdb_log.c
+@@ -170,7 +170,7 @@ extend_file_to(int fd, unsigned int new_size)
+  */
+ static krb5_error_code
+ resize(kdb_hlog_t *ulog, uint32_t ulogentries, int ulogfd,
+-       unsigned int recsize)
++       unsigned int recsize, const kdb_incr_update_t *upd)
+ {
+     unsigned int new_block, new_size;
+ 
+@@ -182,6 +182,13 @@ resize(kdb_hlog_t *ulog, uint32_t ulogentries, int ulogfd,
+     new_block *= ULOG_BLOCK;
+     new_size += ulogentries * new_block;
+ 
++    if (new_block > UINT16_MAX) {
++        syslog(LOG_ERR, _("ulog overflow caused by principal %.*s"),
++               upd->kdb_princ_name.utf8str_t_len,
++               upd->kdb_princ_name.utf8str_t_val);
++        return KRB5_LOG_ERROR;
++    }
++
+     if (new_size > MAXLOGLEN)
+         return KRB5_LOG_ERROR;
+ 
+@@ -281,7 +288,7 @@ store_update(kdb_log_context *log_ctx, kdb_incr_update_t *upd)
+     recsize = sizeof(kdb_ent_header_t) + upd_size;
+ 
+     if (recsize > ulog->kdb_block) {
+-        retval = resize(ulog, ulogentries, log_ctx->ulogfd, recsize);
++        retval = resize(ulog, ulogentries, log_ctx->ulogfd, recsize, upd);
+         if (retval)
+             return retval;
+     }
+-- 
+2.39.3
+
diff --git a/krb5.spec b/krb5.spec
index c860900140e4f99fb1076407f363ca29b931f9da..32578b83ff757816ea07fe57f8e9d6d29caca092 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -13,7 +13,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.15.1
-Release: 55%{anolis_release}%{?dist}.3
+Release: 55%{anolis_release}%{?dist}.4
 
 # - Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
@@ -150,6 +150,7 @@ Patch236: Fix-vulnerabilities-in-GSS-message-token-handling.patch
 Patch237: Simply-OpenSSL-PKCS7-decryption-code.patch
 Patch238: Remove-PKINIT-RSA-support.patch
 Patch239: Generate-and-verify-message-MACs-in-libkrad.patch
+Patch240: 0001-fix-cve-CVE-2025-24528.patch
 
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@@ -432,6 +433,7 @@ ONLY by kerberos itself. Do not depend on this package.
 %patch237 -p1 -b .Simply-OpenSSL-PKCS7-decryption-code
 %patch238 -p1 -b .Remove-PKINIT-RSA-support
 %patch239 -p1 -b .Generate-and-verify-message-MACs-in-libkrad
+%patch240 -p1 -b .fix-cve-CVE-2025-24528
 
 ln NOTICE LICENSE
 
@@ -941,6 +943,9 @@ exit 0
 %{_libdir}/libkadm5srv_mit.so.*
 
 %changelog
+* Mon Feb 25 2025 zhuhongbo <zhuhongbo@uniontech.com> - 1.15.1-55.0.2.4
+- cve: fix cve CVE-2025-24528
+
 * Tue Nov 19 2024 zhuhongbo <zhuhongbo@uniontech.com> - 1.15.1-55.0.2.3
 - cve: fix CVE-2024-3596
 - libkrad: implement support for Message-Authenticator