diff --git a/backport-CVE-2025-9230-Fix-incorrect-check-of-unwrapped-key-size.patch b/backport-CVE-2025-9230-Fix-incorrect-check-of-unwrapped-key-size.patch
new file mode 100644
index 0000000000000000000000000000000000000000..c091172f99a9dd5f727775dcc5d9013ff31396f0
--- /dev/null
+++ b/backport-CVE-2025-9230-Fix-incorrect-check-of-unwrapped-key-size.patch
@@ -0,0 +1,31 @@
+From 9e91358f365dee6c446dcdcdb01c04d2743fd280 Mon Sep 17 00:00:00 2001
+From: Viktor Dukhovni <openssl-users@dukhovni.org>
+Date: Thu, 11 Sep 2025 18:10:12 +0200
+Subject: [PATCH] kek_unwrap_key(): Fix incorrect check of unwrapped key size
+
+Fixes CVE-2025-9230
+
+The check is off by 8 bytes so it is possible to overread by
+up to 8 bytes and overwrite up to 4 bytes.
+
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(cherry picked from commit 9c462be2cea54ebfc62953224220b56f8ba22a0c)
+---
+ crypto/cms/cms_pwri.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/crypto/cms/cms_pwri.c b/crypto/cms/cms_pwri.c
+index a7d609f83791a..ee1b8aa6ed61d 100644
+--- a/crypto/cms/cms_pwri.c
++++ b/crypto/cms/cms_pwri.c
+@@ -242,7 +242,7 @@ static int kek_unwrap_key(unsigned char *out, size_t *outlen,
+         /* Check byte failure */
+         goto err;
+     }
+-    if (inlen < (size_t)(tmp[0] - 4)) {
++    if (inlen < 4 + (size_t)tmp[0]) {
+         /* Invalid length value */
+         goto err;
+     }
diff --git a/openresty-openssl111.spec b/openresty-openssl111.spec
index 2e195ae4be1891f8621d1c6091f8bbadb0ba0def..c10bc7d1b008ee2077a2d94172703f76e4d88061 100644
--- a/openresty-openssl111.spec
+++ b/openresty-openssl111.spec
@@ -1,6 +1,6 @@
 Name:               openresty-openssl111
 Version:            1.1.1h
-Release:            6
+Release:            7
 Summary:            OpenSSL library for OpenResty
 
 Group:              Development/Libraries
@@ -16,6 +16,7 @@ Patch100:           CVE-2021-23841.patch
 Patch101:           backport-CVE-2022-4450.patch
 Patch102:           backport-CVE-2024-4741-Only-free-the-read-buffers-if-not-using.patch
 Patch103:           backport-CVE-2024-5535-Fix-SSL_select_next_proto.patch
+Patch104:           backport-CVE-2025-9230-Fix-incorrect-check-of-unwrapped-key-size.patch
 
 BuildRoot:          %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
@@ -123,6 +124,7 @@ Provides C header and static library for the debug version of OpenResty's OpenSS
 %patch101 -p1
 %patch102 -p1
 %patch103 -p1
+%patch104 -p1
 
 %build
 bash ./copy-dir.sh
@@ -265,6 +267,10 @@ rm -rf %{buildroot}
 %attr(0755,root,root) %{openssl_prefix_debug}/lib/*.a
 
 %changelog
+* Fri Oct 17 2025 andy <liuyang01@kylinos.cn> - 1.1.1h-7
+- Fix CVE-2025-9230
+  Fix incorrect check of unwrapped key size
+
 * Fri Aug 1 2025 andy <liuyang01@kylinos.cn> - 1.1.1h-6
 - Fix CVE-2024-5535