diff --git a/0006-fix-CVE-2024-48916.patch b/0006-fix-CVE-2024-48916.patch
new file mode 100644
index 0000000000000000000000000000000000000000..3f46370106c9d446a06dd74910d025c75e061bb3
--- /dev/null
+++ b/0006-fix-CVE-2024-48916.patch
@@ -0,0 +1,33 @@
+From 22b362ab9c7f72463f35addff53b34e301604104 Mon Sep 17 00:00:00 2001
+From: wangzengliang1 <wangzengliang2@huawei.com>
+Date: Sat, 28 Dec 2024 11:24:36 +0800
+Subject: [PATCH] fix CVE-2024-48916
+copyed-by: https://github.com/ceph/ceph/pull/60624
+  while authenticating AssumeRoleWithWebIdentity using JWT obtained
+  from an external IDP.
+
+fixes: https://tracker.ceph.com/issues/68836
+Signed-off-by Pritha Srivastava <prsrivas@redhat.com>
+---
+ src/rgw/rgw_rest_sts.cc | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/rgw/rgw_rest_sts.cc b/src/rgw/rgw_rest_sts.cc
+index 09f77f6..878edc6 100644
+--- a/src/rgw/rgw_rest_sts.cc
++++ b/src/rgw/rgw_rest_sts.cc
+@@ -444,7 +444,11 @@ WebTokenEngine::validate_signature(const DoutPrefixProvider* dpp, const jwt::dec
+                               .allow_algorithm(jwt::algorithm::ps512{cert});
+ 
+                 verifier.verify(decoded);
++              } else {
++                ldpp_dout(dpp, 0) << "Unsupported algorithm: " << algorithm << dendl;
++                throw -EINVAL;
+               }
++
+             } catch (std::runtime_error& e) {
+               ldpp_dout(dpp, 0) << "Signature validation failed: " << e.what() << dendl;
+               throw;
+-- 
+1.8.3.1
+
diff --git a/ceph.spec b/ceph.spec
index 2d41fe8208e723af76bffd35adab876a6b36a291..3b6b3b642c6c07f77c836fbbbb12d4e75f2a3048 100644
--- a/ceph.spec
+++ b/ceph.spec
@@ -174,7 +174,7 @@
 #################################################################################
 Name:		ceph
 Version:	18.2.2
-Release:	6
+Release:	7
 %if 0%{?fedora} || 0%{?rhel} || 0%{?openEuler}
 Epoch:		2
 %endif
@@ -197,6 +197,7 @@ Patch2: 0002-fix-compilation-with-cython3.patch
 Patch3: 0003-fix-CVE-2023-46159.patch
 Patch4: 0004-fix-mds-metadata-lost-in-one-case.patch
 Patch6: 0005-fix-lz4-not-found.patch
+Patch7: 0006-fix-CVE-2024-48916.patch
 
 %ifarch loongarch64
 Patch5: 9001-add-supprot-for-loongarch64.patch
@@ -2643,6 +2644,9 @@ exit 0
 %{_datadir}/snmp/mibs
 
 %changelog
+* Sat Dec 28 2024 wangzengliang <wangzengliang2@huawei.com> - 2:18.2.2-7
+- fix CVE-2024-48916
+
 * Wed Sep 18 2024 laokz <zhangkai@iscas.ac.cn> - 2:18.2.2-6
 - let BuildRequires:valgrind-devel depend on system arch macro
 - fix riscv64 build