diff --git a/backport-CVE-2025-0620.patch b/backport-CVE-2025-0620.patch
new file mode 100644
index 0000000000000000000000000000000000000000..9ad33f089c23ad68fa34e9e08b059752af652ff4
--- /dev/null
+++ b/backport-CVE-2025-0620.patch
@@ -0,0 +1,36 @@
+From 6f0ae60428a024b4aba92a8103a698c1eca2357c Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Fri, 23 May 2025 08:47:06 +0200
+Subject: [PATCH] CVE-2025-0620: smbd: smbd doesn't pick up group membership
+ changes when re-authenticating an expired SMB session
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15707
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Anoop C S <anoopcs@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+
+Autobuild-User(master): Jule Anger <janger@samba.org>
+Autobuild-Date(master): Mon Jun  2 15:10:30 UTC 2025 on atb-devel-224
+
+Conflict: NA
+Reference: https://github.com/samba-team/samba/commit/6f0ae60428a024b4aba92a8103a698c1eca2357c
+---
+ source3/smbd/conn.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/source3/smbd/conn.c b/source3/smbd/conn.c
+index 4e7e1ce01276..0e4d78237876 100644
+--- a/source3/smbd/conn.c
++++ b/source3/smbd/conn.c
+@@ -173,8 +173,8 @@ static void conn_clear_vuid_cache(connection_struct *conn, uint64_t vuid)
+ 
+ 	for (i=0; i<VUID_CACHE_SIZE; i++) {
+ 		ent = &conn->vuid_cache->array[i];
+-		if (ent->vuid != vuid) {
+-			continue;
++		if (ent->vuid == vuid) {
++			break;
+ 		}
+ 	}
+ 	if (i == VUID_CACHE_SIZE) {
diff --git a/samba.spec b/samba.spec
index 5ba87d7f6c857efcc990a11b2a921f4069d5e43e..e1739246f7f9d861ed4aa0ef9a6e80128aecd598 100644
--- a/samba.spec
+++ b/samba.spec
@@ -45,7 +45,7 @@
 
 Name:           samba
 Version:        4.22.1
-Release:        1
+Release:        2
 
 Summary:        A suite for Linux to interoperate with Windows
 License:        GPL-3.0-or-later AND LGPL-3.0-or-later
@@ -67,6 +67,7 @@ Source11:       samba-winbind-systemd-sysusers.conf
 Source201:      README.downgrade
 
 Patch1:         remove-sensitive-info.patch
+Patch2:         backport-CVE-2025-0620.patch
 
 
 BuildRequires: avahi-devel bison dbus-devel docbook-style-xsl e2fsprogs-devel flex gawk gnupg2 gnutls-devel >= 3.4.7 gpgme-devel
@@ -3072,6 +3073,12 @@ fi
 %{_mandir}/man3/ldif*
 
 %changelog
+* Fri Jun 06 2025 xinghe <xinghe2@h-partners.com> - 4.22.1-2
+- Type:cves
+- ID:CVE-2025-0620
+- SUG:NA
+- DESC:fix CVE-2025-0620
+
 * Fri Apr 18 2025 Funda Wang <fundawang@yeah.net> - 4.22.1-1
 - Type:bugfix
 - ID:NA