diff --git a/0029-bugfix-for-CVE-2025-8277.patch b/0029-bugfix-for-CVE-2025-8277.patch
new file mode 100644
index 0000000000000000000000000000000000000000..780b22d3df54607a7023abd2a2cad242e78f1e37
--- /dev/null
+++ b/0029-bugfix-for-CVE-2025-8277.patch
@@ -0,0 +1,38 @@
+From 4310a696f2d632c6742678077d703d9b9ff3bc0e Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Tue, 5 Aug 2025 18:42:31 +0200
+Subject: CVE-2025-8277: packet: Adjust packet filter to work when DH-GEX is guessed wrongly
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
+
+Conflict:NA
+Reference:https://git.libssh.org/projects/libssh.git/patch/?id=4310a696f2d632c6742678077d703d9b9ff3bc0e
+
+---
+ src/packet.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/packet.c b/src/packet.c
+index 36910499..5b32f46b 100644
+--- a/src/packet.c
++++ b/src/packet.c
+@@ -294,6 +294,7 @@ static enum ssh_packet_filter_result_e ssh_packet_incoming_filter(ssh_session se
+          *   or session_state == SSH_SESSION_STATE_INITIAL_KEX
+          * - dh_handshake_state == DH_STATE_INIT
+          *   or dh_handshake_state == DH_STATE_INIT_SENT (re-exchange)
++         *   or dh_handshake_state == DH_STATE_REQUEST_SENT (dh-gex)
+          *   or dh_handshake_state == DH_STATE_FINISHED (re-exchange)
+          *
+          * Transitions:
+@@ -313,6 +314,7 @@ static enum ssh_packet_filter_result_e ssh_packet_incoming_filter(ssh_session se
+ 
+         if ((session->dh_handshake_state != DH_STATE_INIT) &&
+             (session->dh_handshake_state != DH_STATE_INIT_SENT) &&
++            (session->dh_handshake_state != DH_STATE_REQUEST_SENT) &&
+             (session->dh_handshake_state != DH_STATE_FINISHED))
+         {
+             rc = SSH_PACKET_DENIED;
+-- 
+cgit v1.2.3
+
diff --git a/0030-bugfix-for-CVE-2025-8277.patch b/0030-bugfix-for-CVE-2025-8277.patch
new file mode 100644
index 0000000000000000000000000000000000000000..d8013333a9db9dffcb9be06eab066b5c44ba6393
--- /dev/null
+++ b/0030-bugfix-for-CVE-2025-8277.patch
@@ -0,0 +1,115 @@
+From ccff22d3787c1355b3f0dcd09fe54d90acc55bf1 Mon Sep 17 00:00:00 2001
+From: Francesco Rollo <eferollo@gmail.com>;Jakub Jelen<jjelen@redhat.com>
+Date: Thu, 24 Jul 2025 16:30:07 +0300
+Subject: CVE-2025-8277: Fix memory leak of unused ephemeral key pair after client's wrong KEX guess
+CVE-2025-8277: ecdh: Free previously allocated pubkeys
+
+Signed-off-by: Francesco Rollo <eferollo@gmail.com>;Jakub Jelen <jjelen@redhat.com>
+Reviewed-by: Andreas Schneider <asn@cryptomilk.org>;Andreas Schneider <asn@cryptomilk.org>
+
+Conflict: adapt for src/ecdh_crypto.c, src/curve25519_crypto.c and src/curve25519_gcrypt.c don't exist
+Reference:https://git.libssh.org/projects/libssh.git/patch/?id=ccff22d3787c1355b3f0dcd09fe54d90acc55bf1
+https://git.libssh.org/projects/libssh.git/patch/?id=c9d95ab0c7a52b231bcec09afbea71944ed0d852
+---
+ src/dh_crypto.c       |  5 +++++
+ src/dh_key.c          |  5 +++++
+ src/ecdh_crypto.c     | 10 ++++++++++
+ src/ecdh_gcrypt.c     |  7 +++++++
+ src/ecdh_mbedcrypto.c |  6 ++++++
+ 5 files changed, 33 insertions(+)
+
+diff --git a/src/dh_crypto.c b/src/dh_crypto.c
+index 4dd9b50..cedfbc8 100644
+--- a/src/dh_crypto.c
++++ b/src/dh_crypto.c
+@@ -407,6 +407,11 @@ int ssh_dh_init_common(struct ssh_crypto_struct *crypto)
+     struct dh_ctx *ctx = NULL;
+     int rc;
+ 
++    /* Cleanup any previously allocated dh_ctx */
++    if (crypto->dh_ctx != NULL) {
++        ssh_dh_cleanup(crypto);
++    }
++
+     ctx = calloc(1, sizeof(*ctx));
+     if (ctx == NULL) {
+         return SSH_ERROR;
+diff --git a/src/dh_key.c b/src/dh_key.c
+index 20d24a3..d9743ce 100644
+--- a/src/dh_key.c
++++ b/src/dh_key.c
+@@ -237,6 +237,11 @@ int ssh_dh_init_common(struct ssh_crypto_struct *crypto)
+     struct dh_ctx *ctx = NULL;
+     int rc;
+ 
++    /* Cleanup any previously allocated dh_ctx */
++    if (crypto->dh_ctx != NULL) {
++        ssh_dh_cleanup(crypto);
++    }
++
+     ctx = calloc(1, sizeof(*ctx));
+     if (ctx == NULL) {
+         return SSH_ERROR;
+diff --git a/src/ecdh_crypto.c b/src/ecdh_crypto.c
+index b674b2e..2ce2ff2 100644
+--- a/src/ecdh_crypto.c
++++ b/src/ecdh_crypto.c
+@@ -218,8 +218,18 @@ int ssh_client_ecdh_init(ssh_session session){
+       SSH_STRING_FREE(client_pubkey);
+       return SSH_ERROR;
+   }
++/* Free any previously allocated privkey */
++  if (session->next_crypto->ecdh_privkey != NULL) {
++#if OPENSSL_VERSION_NUMBER < 0x30000000L
++      EC_KEY_free(session->next_crypto->ecdh_privkey);
++#else
++      EVP_PKEY_free(session->next_crypto->ecdh_privkey);
++#endif
++      session->next_crypto->ecdh_privkey = NULL;
++  }
+ 
+   session->next_crypto->ecdh_privkey = key;
++  ssh_string_free(session->next_crypto->ecdh_client_pubkey);
+   session->next_crypto->ecdh_client_pubkey = client_pubkey;
+ 
+   /* register the packet callbacks */
+diff --git a/src/ecdh_gcrypt.c b/src/ecdh_gcrypt.c
+index a8a8c37..5831a30 100644
+--- a/src/ecdh_gcrypt.c
++++ b/src/ecdh_gcrypt.c
+@@ -101,8 +101,15 @@ int ssh_client_ecdh_init(ssh_session session)
+         goto out;
+     }
+ 
++    /* Free any previously allocated privkey */
++    if (session->next_crypto->ecdh_privkey != NULL) {
++        gcry_sexp_release(session->next_crypto->ecdh_privkey);
++        session->next_crypto->ecdh_privkey = NULL;
++    }
+     session->next_crypto->ecdh_privkey = key;
+     key = NULL;
++
++    SSH_STRING_FREE(session->next_crypto->ecdh_client_pubkey);
+     session->next_crypto->ecdh_client_pubkey = client_pubkey;
+     client_pubkey = NULL;
+ 
+diff --git a/src/ecdh_mbedcrypto.c b/src/ecdh_mbedcrypto.c
+index dda7392..6074b93 100644
+--- a/src/ecdh_mbedcrypto.c
++++ b/src/ecdh_mbedcrypto.c
+@@ -70,6 +70,12 @@ int ssh_client_ecdh_init(ssh_session session)
+         return SSH_ERROR;
+     }
+ 
++    /* Free any previously allocated privkey */
++    if (session->next_crypto->ecdh_privkey != NULL) {
++        mbedtls_ecp_keypair_free(session->next_crypto->ecdh_privkey);
++        SAFE_FREE(session->next_crypto->ecdh_privkey);
++    }
++
+     session->next_crypto->ecdh_privkey = malloc(sizeof(mbedtls_ecp_keypair));
+     if (session->next_crypto->ecdh_privkey == NULL) {
+         return SSH_ERROR;
+-- 
+2.33.0
+
diff --git a/0031-bugfix-for-CVE-2025-8277.patch b/0031-bugfix-for-CVE-2025-8277.patch
new file mode 100644
index 0000000000000000000000000000000000000000..b080e0339eb8185e1c22028e071d2c20a3b92d2c
--- /dev/null
+++ b/0031-bugfix-for-CVE-2025-8277.patch
@@ -0,0 +1,46 @@
+From ffed80f8c078122990a4eba2b275facd56dd43e0 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Wed, 6 Aug 2025 15:32:56 +0200
+Subject: CVE-2025-8277: mbedtls: Avoid leaking ecdh keys
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
+
+Conflict:NA
+Reference:https://git.libssh.org/projects/libssh.git/patch/?id=ffed80f8c078122990a4eba2b275facd56dd43e0
+---
+ src/ecdh_mbedcrypto.c | 1 +
+ src/wrapper.c         | 5 ++++-
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/ecdh_mbedcrypto.c b/src/ecdh_mbedcrypto.c
+index dda7392..bd054d6 100644
+--- a/src/ecdh_mbedcrypto.c
++++ b/src/ecdh_mbedcrypto.c
+@@ -110,6 +110,7 @@ int ssh_client_ecdh_init(ssh_session session)
+         goto out;
+     }
+ 
++    SSH_STRING_FREE(session->next_crypto->ecdh_client_pubkey);
+     session->next_crypto->ecdh_client_pubkey = client_pubkey;
+     client_pubkey = NULL;
+ 
+diff --git a/src/wrapper.c b/src/wrapper.c
+index 43bf213..5f1c0e2 100644
+--- a/src/wrapper.c
++++ b/src/wrapper.c
+@@ -190,7 +190,10 @@ void crypto_free(struct ssh_crypto_struct *crypto)
+ #endif /* OPENSSL_VERSION_NUMBER */
+ #elif defined HAVE_GCRYPT_ECC
+         gcry_sexp_release(crypto->ecdh_privkey);
+-#endif
++#elif defined HAVE_LIBMBEDCRYPTO
++        mbedtls_ecp_keypair_free(crypto->ecdh_privkey);
++        SAFE_FREE(crypto->ecdh_privkey);
++#endif /* HAVE_LIBGCRYPT */
+         crypto->ecdh_privkey = NULL;
+     }
+ #endif
+-- 
+2.33.0
+
diff --git a/libssh.spec b/libssh.spec
index deba1b44ff3e09e6875bf34a8239bf6936bf3c3e..8523107ea0a0e36bd7116a98a08d9f41dc07166c 100644
--- a/libssh.spec
+++ b/libssh.spec
@@ -1,4 +1,4 @@
-%define anolis_release 10
+%define anolis_release 11
 %global _smp_build_ncpus 1
 
 Name:           libssh
@@ -50,6 +50,9 @@ Patch0026:      1026-CVE-2025-5351.patch
 Patch0027:	0027-CVE-2025-4878-legacy-Properly-check-return-value-to-.patch
 # https://git.libssh.org/projects/libssh.git/diff/?id=697650caa97eaf7623924c75f9fcfec6dd423cd1
 Patch0028:	0028-CVE-2025-4878-Initialize-pointers-where-possible.patch
+Patch0029:	0029-bugfix-for-CVE-2025-8277.patch
+Patch0030:	0030-bugfix-for-CVE-2025-8277.patch
+Patch0031:	0031-bugfix-for-CVE-2025-8277.patch
 
 BuildRequires:  cmake gcc-c++
 BuildRequires:  openssl-devel zlib-devel krb5-devel libcmocka-devel
@@ -160,6 +163,9 @@ popd
 %doc AUTHORS CHANGELOG README
 
 %changelog
+* Wed Oct 15 2025 tomcruiseqi <tomcruiseqi@inspur.com> - 0.10.5-11
+- Fix CVE-2025-8277
+
 * Tue Sep 18 2025 wh02252983 <wh02252983@alibaba-inc.com> - 0.10.5-10
 - Add patch to fix CVE-2025-4878