diff --git a/0015-fix-CVE-2025-57275.patch b/0015-fix-CVE-2025-57275.patch
new file mode 100644
index 0000000000000000000000000000000000000000..d63f00cf43cbe29ae849f4cf5860d4a8af472e13
--- /dev/null
+++ b/0015-fix-CVE-2025-57275.patch
@@ -0,0 +1,98 @@
+From 8981ddb1ccaf54f85d34482a5a644e075b58cb36 Mon Sep 17 00:00:00 2001
+From: Tomasz Zawadzki <tomasz.zawadzki@nutanix.com>
+Date: Thu, 25 Sep 2025 18:51:37 +0200
+Subject: [PATCH] lib/nvmf: limit number of NVMe-oF registrants when updating
+ PTPL info
+
+Limit the number of NVMe-oF registrants that are kept when using PTPL (Persist through power loss).
+
+Change-Id: I5207652b4a6e7313b3b4dbee212aa2be692d8b59
+Signed-off-by: Joel Cunningham <joel.cunningham@oracle.com>
+Reported-by: Joel Cunningham <joel.cunningham@oracle.com>
+Signed-off-by: Tomasz Zawadzki <tomasz.zawadzki@nutanix.com>
+Reviewed-on: https://review.spdk.io/c/spdk/spdk/+/26777
+Tested-by: SPDK Automated Test System <spdkbot@gmail.com>
+Reviewed-by: Konrad Sztyber <ksztyber@nvidia.com>
+Reviewed-by: Jacek Kalwas <jacek.kalwas@nutanix.com>
+---
+ lib/nvmf/subsystem.c                          | 11 ++++--
+ test/unit/lib/nvmf/subsystem.c/subsystem_ut.c | 34 +++++++++++++++++++
+ 2 files changed, 42 insertions(+), 3 deletions(-)
+
+diff --git a/lib/nvmf/subsystem.c b/lib/nvmf/subsystem.c
+index a9bc42698..54de73d4f 100644
+--- a/lib/nvmf/subsystem.c
++++ b/lib/nvmf/subsystem.c
+@@ -2936,9 +2936,14 @@ nvmf_ns_update_reservation_info(struct spdk_nvmf_ns *ns)
+ 	}
+ 
+ 	TAILQ_FOREACH_SAFE(reg, &ns->registrants, link, tmp) {
+-		spdk_uuid_fmt_lower(info.registrants[i].host_uuid, sizeof(info.registrants[i].host_uuid),
+-				    &reg->hostid);
+-		info.registrants[i++].rkey = reg->rkey;
++		if (i < SPDK_NVMF_MAX_NUM_REGISTRANTS) {
++			spdk_uuid_fmt_lower(info.registrants[i].host_uuid, sizeof(info.registrants[i].host_uuid),
++					    &reg->hostid);
++			info.registrants[i++].rkey = reg->rkey;
++		} else {
++			SPDK_ERRLOG("More registrants that can fit into reservation info, truncating\n");
++			break;
++		}
+ 	}
+ 
+ 	info.num_regs = i;
+diff --git a/test/unit/lib/nvmf/subsystem.c/subsystem_ut.c b/test/unit/lib/nvmf/subsystem.c/subsystem_ut.c
+index b319eaca8..23d63d784 100644
+--- a/test/unit/lib/nvmf/subsystem.c/subsystem_ut.c
++++ b/test/unit/lib/nvmf/subsystem.c/subsystem_ut.c
+@@ -2702,6 +2702,39 @@ test_nvmf_reservation_custom_ops(void)
+ 	ut_reservation_deinit();
+ }
+ 
++static void
++test_nvmf_ns_reservation_add_max_registrants(void)
++{
++	struct spdk_nvmf_ns_reservation_ops ops = {
++		.is_ptpl_capable = ut_is_ptpl_capable,
++		.update = ut_update_reservation,
++		.load = ut_load_reservation,
++	};
++	spdk_nvmf_set_custom_ns_reservation_ops(&ops);
++	ut_reservation_init();
++
++	struct spdk_nvmf_reservation_info info = {};
++	int rc;
++
++	/* Register 1 past the max */
++	uint32_t i = 0;
++	for (i = 0; i < SPDK_NVMF_MAX_NUM_REGISTRANTS + 1; i++) {
++		spdk_uuid_generate(&g_ctrlr1_A.hostid);
++		rc = nvmf_ns_reservation_add_registrant(&g_ns, &g_ctrlr1_A, 0xa11 + i);
++		CU_ASSERT(rc == 0);
++	}
++	/* Update the reservation info */
++	rc = nvmf_ns_update_reservation_info(&g_ns);
++	CU_ASSERT(rc == 0);
++	/* Validate that info is capped at max */
++	rc = nvmf_ns_reservation_load(&g_ns, &info);
++	CU_ASSERT(rc == 0);
++	CU_ASSERT_EQUAL(info.num_regs, SPDK_NVMF_MAX_NUM_REGISTRANTS);
++	/* Clear should return max + 1 */
++	uint32_t cleared = nvmf_ns_reservation_clear_all_registrants(&g_ns);
++	CU_ASSERT_EQUAL(cleared, SPDK_NVMF_MAX_NUM_REGISTRANTS + 1);
++}
++
+ int
+ main(int argc, char **argv)
+ {
+@@ -2740,6 +2773,7 @@ main(int argc, char **argv)
+ 	CU_ADD_TEST(suite, test_nvmf_ns_reservation_restore);
+ 	CU_ADD_TEST(suite, test_nvmf_subsystem_state_change);
+ 	CU_ADD_TEST(suite, test_nvmf_reservation_custom_ops);
++	CU_ADD_TEST(suite, test_nvmf_ns_reservation_add_max_registrants);
+ 
+ 	allocate_threads(1);
+ 	set_thread(0);
+-- 
+2.47.2
+
diff --git a/spdk.spec b/spdk.spec
index 95ef3e73dd8acf68547748ba43bb861f93ffe43a..4cd142be93958eabf22ddd0deed6c8135bd78585 100644
--- a/spdk.spec
+++ b/spdk.spec
@@ -4,7 +4,7 @@
 
 Name: spdk
 Version: 24.01
-Release: 12
+Release: 13
 Summary: Set of libraries and utilities for high performance user-mode storage
 License: BSD and MIT
 URL: http://spdk.io
@@ -23,6 +23,7 @@ Patch11: 0011-Adapt-for-ES3000-serial-vendor-special-opcode-in-CUS.patch
 Patch12: 0012-adapt-for-spdk-24.01.patch
 Patch13: 0013-vhost-add-vhost-interrupt-coalescing.patch
 Patch14: 0014-setup_self-sh-fix-incorrect-parameter-list-printing-.patch
+Patch15: 0015-fix-CVE-2025-57275.patch
 
 
 %define package_version %{version}-%{release}
@@ -204,6 +205,9 @@ mv doc/output/html/ %{install_docdir}
 
 
 %changelog
+* Thu Nov 27 2025 zhangjian <zhangjian496@huawei.com> - 24.01-13
+- fix CVE-2025-57275
+
 * Tue Oct 28 2025 yinyongkang <yinyongkang@kylinos.cn> - 24.01-12
 - setup_self.sh: fix incorrect parameter list printing help manual