diff --git a/containerd.spec b/containerd.spec
index 1eb94b179ab9f22da28b6aa3525052bc3c17ffd9..d74b34fc8754169b6459fd132a026084d7b0428a 100644
--- a/containerd.spec
+++ b/containerd.spec
@@ -2,7 +2,7 @@
 %global debug_package %{nil}
 Version:        1.6.22
 Name:           containerd
-Release:        23
+Release:        24
 Summary:        An industry-standard container runtime
 License:        ASL 2.0
 URL:            https://containerd.io
@@ -68,6 +68,12 @@ install -D -p -m 0644 %{S:7} %{buildroot}%{_sysconfdir}/containerd/config.toml
 %exclude %{_bindir}/containerd-stress
 
 %changelog
+* Thu Sep 18 2025 dongyuzhen <dongyuzhen@h-partners.com> - 1.6.22-24
+- Type:CVE
+- ID:NA
+- SUG:NA
+- DESC:fix CVE-2023-47108
+
 * Mon Aug 25 2025 Yu Peng <yupeng@kylinos.cn> - 1.6.22-23
 - Type:bugfix
 - ID:NA
diff --git a/git-commit b/git-commit
index 4cdbc79ac9f66a38a28b57670f3489544e334e88..3d9c301d404df781e6ae1fc4f0cffc4ad71ebda2 100644
--- a/git-commit
+++ b/git-commit
@@ -1 +1 @@
-505c543740cc9cd666836e5c541d60d5296fa6ee
+2ac7db5bca96aacae4851ae389a71c8e83818473
diff --git a/patch/0047-containerd-fix-CVE-2023-47108.patch b/patch/0047-containerd-fix-CVE-2023-47108.patch
new file mode 100644
index 0000000000000000000000000000000000000000..9680ab4444d87d26f42cf6dfa742ad8b6da248bc
--- /dev/null
+++ b/patch/0047-containerd-fix-CVE-2023-47108.patch
@@ -0,0 +1,78 @@
+From b44dfc9092b157625a5815cb437583cee663333b Mon Sep 17 00:00:00 2001
+From: Aaron Clawson <3766680+MadVikingGod@users.noreply.github.com>
+Date: Mon, 6 Nov 2023 17:34:22 -0600
+Subject: [PATCH] otelgrpc: Remove high cardinality metric attributes (#4322)
+
+---
+ .../grpc/otelgrpc/interceptor.go              | 28 +++++++++++--------
+ 1 file changed, 16 insertions(+), 12 deletions(-)
+
+diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go b/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go
+index b1d9f64..df0fb70 100644
+--- a/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go
++++ b/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go
+@@ -81,7 +81,7 @@ func UnaryClientInterceptor(opts ...Option) grpc.UnaryClientInterceptor {
+ 			trace.WithInstrumentationVersion(SemVersion()),
+ 		)
+ 
+-		name, attr := spanInfo(method, cc.Target())
++		name, attr, _ := telemetryAttributes(method, cc.Target())
+ 		var span trace.Span
+ 		ctx, span = tracer.Start(
+ 			ctx,
+@@ -251,7 +251,7 @@ func StreamClientInterceptor(opts ...Option) grpc.StreamClientInterceptor {
+ 			trace.WithInstrumentationVersion(SemVersion()),
+ 		)
+ 
+-		name, attr := spanInfo(method, cc.Target())
++		name, attr, _ := telemetryAttributes(method, cc.Target())
+ 		var span trace.Span
+ 		ctx, span = tracer.Start(
+ 			ctx,
+@@ -311,7 +311,7 @@ func UnaryServerInterceptor(opts ...Option) grpc.UnaryServerInterceptor {
+ 			trace.WithInstrumentationVersion(SemVersion()),
+ 		)
+ 
+-		name, attr := spanInfo(info.FullMethod, peerFromCtx(ctx))
++		name, attr, metricAttrs := telemetryAttributes(info.FullMethod, peerFromCtx(ctx))
+ 		ctx, span := tracer.Start(
+ 			trace.ContextWithRemoteSpanContext(ctx, spanCtx),
+ 			name,
+@@ -400,7 +400,7 @@ func StreamServerInterceptor(opts ...Option) grpc.StreamServerInterceptor {
+ 			trace.WithInstrumentationVersion(SemVersion()),
+ 		)
+ 
+-		name, attr := spanInfo(info.FullMethod, peerFromCtx(ctx))
++		name, attr, _ := telemetryAttributes(info.FullMethod, peerFromCtx(ctx))
+ 		ctx, span := tracer.Start(
+ 			trace.ContextWithRemoteSpanContext(ctx, spanCtx),
+ 			name,
+@@ -423,14 +423,18 @@ func StreamServerInterceptor(opts ...Option) grpc.StreamServerInterceptor {
+ 	}
+ }
+ 
+-// spanInfo returns a span name and all appropriate attributes from the gRPC
+-// method and peer address.
+-func spanInfo(fullMethod, peerAddress string) (string, []attribute.KeyValue) {
+-	attrs := []attribute.KeyValue{RPCSystemGRPC}
+-	name, mAttrs := internal.ParseFullMethod(fullMethod)
+-	attrs = append(attrs, mAttrs...)
+-	attrs = append(attrs, peerAttr(peerAddress)...)
+-	return name, attrs
++// telemetryAttributes returns a span name and span and metric attributes from
++// the gRPC method and peer address.
++func telemetryAttributes(fullMethod, peerAddress string) (string, []attribute.KeyValue, []attribute.KeyValue) {
++	name, methodAttrs := internal.ParseFullMethod(fullMethod)
++	peerAttrs := peerAttr(peerAddress)
++
++	attrs := make([]attribute.KeyValue, 0, 1+len(methodAttrs)+len(peerAttrs))
++	attrs = append(attrs, RPCSystemGRPC)
++	attrs = append(attrs, methodAttrs...)
++	metricAttrs := attrs[:1+len(methodAttrs)]
++	attrs = append(attrs, peerAttrs...)
++	return name, attrs, metricAttrs
+ }
+ 
+ // peerAttr returns attributes about the peer address.
+-- 
+2.43.0
\ No newline at end of file
diff --git a/series.conf b/series.conf
index 2cd35fdf38b07002c4a9f7c2ada712d4011f0275..6cbcb8579f2b7a97ce1a00cdc2c99b2cc00035f3 100644
--- a/series.conf
+++ b/series.conf
@@ -43,3 +43,4 @@ patch/0043-containerd-delete-task-asynchronously-to-avoid-conta.patch
 patch/0044-containerd-fix-dead-loop.patch
 patch/0045-containerd-remove-limitnofile-from-containerd-service.patch
 patch/0046-containerd-Fix-ctr-snapshot-mount-produce-invalid-mount-command.patch
+patch/0047-containerd-fix-CVE-2023-47108.patch