diff --git a/backport-CVE-2025-9230-Fix-incorrect-check-of-unwrapped-key-size.patch b/backport-CVE-2025-9230-Fix-incorrect-check-of-unwrapped-key-size.patch
new file mode 100644
index 0000000000000000000000000000000000000000..c091172f99a9dd5f727775dcc5d9013ff31396f0
--- /dev/null
+++ b/backport-CVE-2025-9230-Fix-incorrect-check-of-unwrapped-key-size.patch
@@ -0,0 +1,31 @@
+From 9e91358f365dee6c446dcdcdb01c04d2743fd280 Mon Sep 17 00:00:00 2001
+From: Viktor Dukhovni <openssl-users@dukhovni.org>
+Date: Thu, 11 Sep 2025 18:10:12 +0200
+Subject: [PATCH] kek_unwrap_key(): Fix incorrect check of unwrapped key size
+
+Fixes CVE-2025-9230
+
+The check is off by 8 bytes so it is possible to overread by
+up to 8 bytes and overwrite up to 4 bytes.
+
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(cherry picked from commit 9c462be2cea54ebfc62953224220b56f8ba22a0c)
+---
+ crypto/cms/cms_pwri.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/crypto/cms/cms_pwri.c b/crypto/cms/cms_pwri.c
+index a7d609f83791a..ee1b8aa6ed61d 100644
+--- a/crypto/cms/cms_pwri.c
++++ b/crypto/cms/cms_pwri.c
+@@ -242,7 +242,7 @@ static int kek_unwrap_key(unsigned char *out, size_t *outlen,
+         /* Check byte failure */
+         goto err;
+     }
+-    if (inlen < (size_t)(tmp[0] - 4)) {
++    if (inlen < 4 + (size_t)tmp[0]) {
+         /* Invalid length value */
+         goto err;
+     }
diff --git a/openresty-openssl111.spec b/openresty-openssl111.spec
index 90f9fcd675a315676000ac668785cda138c9ca84..400470b76bf75e61fa8a35db61a3881522824b82 100644
--- a/openresty-openssl111.spec
+++ b/openresty-openssl111.spec
@@ -1,6 +1,6 @@
 Name:               openresty-openssl111
 Version:            1.1.1h
-Release:            8
+Release:            9
 Summary:            OpenSSL library for OpenResty
 
 Group:              Development/Libraries
@@ -18,6 +18,7 @@ Patch102:           backport-CVE-2022-4304-Fix-Timing-Oracle-in-RSA-decryption.p
 Patch103:	    backport-CVE-2024-5535-Fix-SSL_select_next_proto.patch
 Patch104:           backport-CVE-2024-9143-Harden-BN_GF2m_poly2arr-against-misuse.patch
 Patch105:           backport-CVE-2024-4741-Only-free-the-read-buffers-if-not-using.patch
+Patch106:           backport-CVE-2025-9230-Fix-incorrect-check-of-unwrapped-key-size.patch
 
 BuildRoot:          %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
@@ -127,6 +128,7 @@ Provides C header and static library for the debug version of OpenResty's OpenSS
 %patch103 -p1
 %patch104 -p1
 %patch105 -p1
+%patch106 -p1
 
 %build
 bash ./copy-dir.sh
@@ -269,6 +271,10 @@ rm -rf %{buildroot}
 %attr(0755,root,root) %{openssl_prefix_debug}/lib/*.a
 
 %changelog
+* Fri Oct 17 2025 andy <liuyang01@kylinos.cn> - 1.1.1h-9
+- Fix CVE-2025-9230
+  Fix incorrect check of unwrapped key size
+
 * Fri Aug 1 2025 andy <liuyang01@kylinos.cn> - 1.1.1h-8
 - Fix CVE-2024-4741
   Only free the read buffers if we're not using them