diff --git a/backport-fix-incorrect-handling-in-name-constraints-merging.patch b/backport-fix-incorrect-handling-in-name-constraints-merging.patch
new file mode 100644
index 0000000000000000000000000000000000000000..7745177a2fc3db85bcb1cdfeb13ff7cdbd8c3bfa
--- /dev/null
+++ b/backport-fix-incorrect-handling-in-name-constraints-merging.patch
@@ -0,0 +1,115 @@
+From 6e118a4dfe820ce62fc77130b89188bcd8fbcaad Mon Sep 17 00:00:00 2001
+From: chenjianhu <chenjianhu@kylinos.cn>
+Date: Fri, 1 Aug 2025 17:18:23 +0800
+Subject: [PATCH] x509: fix incorrect handling in name constraints merging
+
+As mentioned in commit ca573d65 ("x509: Fix asymmetry in name
+constraints intersection", 2016-07-29), the
+_gnutls_name_constraints_intersect function exhibited an
+asymmetry in name constraints intersection behavior, specifically
+manifested as:
+1. Nodes of unique types in PERMITTED (absent in PERMITTED2) were
+   preserved
+2. Nodes of unique types in PERMITTED2 (absent in PERMITTED) were
+   discarded
+
+A 'used' flag was introduced, where if a node from PERMITTED2 was
+   not used for the intersection, it would be copied to PERMITTED.
+
+However,an unresolved edge case persisted:
+- When 'removed.size > 0', the 'used' flag was unconditionally set
+to 1
+- This prevented copying of PERMITTED2 nodes with unique types
+
+Signed-off-by: chenjianhu <chenjianhu@kylinos.cn>
+Modified-by: Daiki Ueno <ueno@gnu.org>
+---
+ lib/x509/name_constraints.c    |  5 +++-
+ tests/name-constraints-merge.c | 55 ++++++++++++++++++++++++++++++++++
+ 2 files changed, 59 insertions(+), 1 deletion(-)
+
+diff --git a/lib/x509/name_constraints.c b/lib/x509/name_constraints.c
+index 3c6e306303..2be6a2aaa6 100644
+--- a/lib/x509/name_constraints.c
++++ b/lib/x509/name_constraints.c
+@@ -414,7 +414,10 @@ static int name_constraints_node_list_intersect(
+ 				gnutls_assert();
+ 				goto cleanup;
+ 			}
+-			used = 1;
++
++			if (t->type == t2->type)
++				used = 1;
++
+ 			// if intersection is not empty
+ 			if (tmp !=
+ 			    NULL) { // intersection for this type is not empty
+diff --git a/tests/name-constraints-merge.c b/tests/name-constraints-merge.c
+index 03b3243cc7..70376aaa74 100644
+--- a/tests/name-constraints-merge.c
++++ b/tests/name-constraints-merge.c
+@@ -418,6 +418,61 @@ void doit(void)
+ 	gnutls_x509_name_constraints_deinit(nc1);
+ 	gnutls_x509_name_constraints_deinit(nc2);
+ 
++	/* 5: variant of suite 0: after moving rfc822Name (ccc.com)
++	 * from NC1 to NC2, dNSName (xxx.ccc.com) should still be
++	 * rejected.
++	 *
++	 * NC1: permitted DNS org
++	 *      permitted DNS ccc.com
++	 * NC2: permitted DNS org
++	 *      permitted email ccc.com
++	 *      permitted DNS aaa.bbb.ccc.com
++	 */
++	suite = 5;
++
++	ret = gnutls_x509_name_constraints_init(&nc1);
++	check_for_error(ret);
++
++	ret = gnutls_x509_name_constraints_init(&nc2);
++	check_for_error(ret);
++
++	set_name("org", &name);
++	ret = gnutls_x509_name_constraints_add_permitted(
++		nc1, GNUTLS_SAN_DNSNAME, &name);
++	check_for_error(ret);
++
++	set_name("ccc.com", &name);
++	ret = gnutls_x509_name_constraints_add_permitted(
++		nc1, GNUTLS_SAN_DNSNAME, &name);
++	check_for_error(ret);
++
++	set_name("org", &name);
++	ret = gnutls_x509_name_constraints_add_permitted(
++		nc2, GNUTLS_SAN_DNSNAME, &name);
++	check_for_error(ret);
++
++	set_name("ccc.com", &name);
++	ret = gnutls_x509_name_constraints_add_permitted(
++		nc2, GNUTLS_SAN_RFC822NAME, &name);
++	check_for_error(ret);
++
++	set_name("aaa.bbb.ccc.com", &name);
++	ret = gnutls_x509_name_constraints_add_permitted(
++		nc2, GNUTLS_SAN_DNSNAME, &name);
++	check_for_error(ret);
++
++	ret = _gnutls_x509_name_constraints_merge(nc1, nc2);
++	check_for_error(ret);
++
++	/* check intersection of permitted */
++	set_name("xxx.ccc.com", &name);
++	ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME,
++						 &name);
++	check_test_result(suite, ret, NAME_REJECTED, &name);
++
++	gnutls_x509_name_constraints_deinit(nc1);
++	gnutls_x509_name_constraints_deinit(nc2);
++
+ 	/* Test footer */
+ 
+ 	if (debug)
+-- 
+GitLab
+
diff --git a/gnutls.spec b/gnutls.spec
index 2b7a179d555bf13d96532861db4e39a4c1b31337..89db94e85112ade99b9bafe0faa8e5626ff9bbe1 100644
--- a/gnutls.spec
+++ b/gnutls.spec
@@ -1,6 +1,6 @@
 Name: gnutls
 Version: 3.8.2
-Release: 7
+Release: 8
 Summary: The GNU Secure Communication Protocol Library
 
 License: LGPLv2.1+ and GPLv3+
@@ -19,6 +19,7 @@ Patch7: CVE-2025-32989-x509-fix-read-buffer-overrun-in-SCT-timestamps.patch
 Patch8: CVE-2025-32990-certtool-avoid-1-byte-write-buffer-overrun-when-pars.patch
 Patch9: CVE-2025-6395-handshake-clear-HSK_PSK_SELECTED-is-when-resetting-b.patch
 Patch10: gnutls-3.8.2-sw.patch
+Patch11: backport-fix-incorrect-handling-in-name-constraints-merging.patch 
 
 %bcond_without dane
 %bcond_with guile
@@ -251,6 +252,9 @@ make check %{?_smp_mflags}
 %endif
 
 %changelog
+* Fri Aug 29 2025 chenjianhu <chenjianhu@kylinos.cn> - 3.8.2-8
+- backport upsteam patche to fix incorrect handling in name constraints merging
+
 * Tue Aug 12 2025 mahailiang <mahailiang@uniontech.com> - 3.8.2-7
 - add sw_64 support