diff --git a/backport-libpam-use-close_range-to-close-file-descriptors.patch b/backport-libpam-use-close_range-to-close-file-descriptors.patch
new file mode 100644
index 0000000000000000000000000000000000000000..13425106e9a862ceca766431d7f58632502c5765
--- /dev/null
+++ b/backport-libpam-use-close_range-to-close-file-descriptors.patch
@@ -0,0 +1,83 @@
+From d6103b30050554d7b6ca6d55cb5b4ed3c9516663 Mon Sep 17 00:00:00 2001
+From: Iker Pedrosa <ipedrosa@redhat.com>
+Date: Wed, 25 Oct 2023 09:46:15 +0200
+Subject: [PATCH] libpam: use close_range() to close file descriptors
+
+* configure.ac: check whether close_range() is available in the system.
+* libpam/pam_modutil_sanitize.c: use close_range() to close all file
+  descriptors. If the interface isn't available use the previous
+  approach.
+
+Link: https://github.com/linux-pam/linux-pam/pull/276
+Resolves: https://issues.redhat.com/browse/RHEL-5099
+
+Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
+
+Conflict:NA
+Reference:https://github.com/linux-pam/linux-pam/commit/d6103b30050554d7b6ca6d55cb5b4ed3c9516663
+
+---
+ configure.ac                  |  1 +
+ libpam/pam_modutil_sanitize.c | 19 +++++++++++++++++--
+ 2 files changed, 18 insertions(+), 2 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 39124d87..b6a8d6fb 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -638,6 +638,7 @@ AC_CHECK_FUNCS(quotactl)
+ AC_CHECK_FUNCS(unshare)
+ AC_CHECK_FUNCS(explicit_bzero memset_explicit)
+ AC_CHECK_FUNCS([ruserok_af ruserok], [break])
++AC_CHECK_FUNCS(close_range)
+ 
+ AC_ARG_ENABLE([regenerate-docu],
+   AS_HELP_STRING([--disable-regenerate-docu],[Don't re-build documentation from XML sources]),
+diff --git a/libpam/pam_modutil_sanitize.c b/libpam/pam_modutil_sanitize.c
+index f26e8ec0..1b8af743 100644
+--- a/libpam/pam_modutil_sanitize.c
++++ b/libpam/pam_modutil_sanitize.c
+@@ -11,6 +11,10 @@
+ #include <syslog.h>
+ #include <sys/resource.h>
+ 
++#ifndef CLOSE_RANGE_UNSHARE
++#define CLOSE_RANGE_UNSHARE	(1U << 1)
++#endif /* CLOSE_RANGE_UNSHARE */
++
+ /*
+  * Creates a pipe, closes its write end, redirects fd to its read end.
+  * Returns fd on success, -1 otherwise.
+@@ -84,9 +88,8 @@ redirect_out(pam_handle_t *pamh, enum pam_modutil_redirect_fd mode,
+ 	return fd;
+ }
+ 
+-/* Closes all descriptors after stderr. */
+ static void
+-close_fds(void)
++close_fds_iteratively(void)
+ {
+ 	/*
+ 	 * An arbitrary upper limit for the maximum file descriptor number
+@@ -111,6 +114,18 @@ close_fds(void)
+ 		close(fd);
+ }
+ 
++/* Closes all descriptors after stderr. */
++static void
++close_fds(void)
++{
++#ifdef HAVE_CLOSE_RANGE
++	if (close_range(STDERR_FILENO+1, -1U, CLOSE_RANGE_UNSHARE) == 0)
++		return;
++#endif /* HAVE_CLOSE_RANGE */
++
++	close_fds_iteratively();
++}
++
+ int
+ pam_modutil_sanitize_helper_fds(pam_handle_t *pamh,
+ 				enum pam_modutil_redirect_fd stdin_mode,
+-- 
+2.33.0
+
diff --git a/pam.spec b/pam.spec
index 51dca257e155ae1e5d0844a447d834545a696a92..c3fedc274779e4db156bfd7dfab91a8bfeb1fe51 100644
--- a/pam.spec
+++ b/pam.spec
@@ -4,7 +4,7 @@
 %define _pamconfdir %{_sysconfdir}/pam.d
 Name: pam
 Version: 1.5.3
-Release: 9
+Release: 10
 Summary: Pluggable Authentication Modules for Linux
 License: BSD-3-Clause AND GPL-2.0-or-later
 URL: http://www.linux-pam.org/
@@ -28,6 +28,7 @@ Patch6: backport-pam_access-make-non-resolveable-hostname-a-debug-out.patch
 Patch7: backport-CVE-2024-10963.patch
 Patch8: backport-CVE-2024-10041.patch
 Patch9: backport-CVE-2024-10041-pam_unix-try-to-set-uid-to-0-for-unix_chkpwd.patch
+Patch10: backport-libpam-use-close_range-to-close-file-descriptors.patch
 
 Patch9000:change-ndbm-to-gdbm.patch
 Patch9001:add-sm3-crypt-support.patch
@@ -167,6 +168,9 @@ rm -fr $RPM_BUILD_ROOT/usr/share/doc/pam
 
 
 %changelog
+* Mon Mar 24 2025 hugel <gengqihu2@h-partners.com> - 1.5.3-10
+- backport patch libpam use close_range() to close file descriptors
+
 * Fri Dec 27 2024 dongyuzhen <dongyuzhen@h-partners.com> - 1.5.3-9
 - fix tst-pam_unix5 test case failure