diff --git a/containerd.spec b/containerd.spec
index 02ab8550448a217c18d52b303f334ee8f1513aef..364e3059fef8824a7e48ea45693b5de7dd544873 100644
--- a/containerd.spec
+++ b/containerd.spec
@@ -2,7 +2,7 @@
 %global debug_package %{nil}
 Version:        1.6.22
 Name:           containerd
-Release:        25
+Release:        26
 Summary:        An industry-standard container runtime
 License:        ASL 2.0
 URL:            https://containerd.io
@@ -68,6 +68,12 @@ install -D -p -m 0644 %{S:7} %{buildroot}%{_sysconfdir}/containerd/config.toml
 %exclude %{_bindir}/containerd-stress
 
 %changelog
+* Tue Dec 16 2025 dongyuzhen <dongyuzhen@h-partners.com> - 1.6.22-26
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:backport some patches
+
 * Tue Nov 25 2025 dongyuzhen <dongyuzhen@h-partners.com> - 1.6.22-25
 - Type:CVE
 - ID:NA
diff --git a/git-commit b/git-commit
index bf201d3036350efb1108398cd5a9024923552bf5..7d973e34202de13d20330f8932c63873fe6b852e 100644
--- a/git-commit
+++ b/git-commit
@@ -1 +1 @@
-7210b98a169f53a4a25ad82b4ed84667a57a7d9c
+1f4b4c8a7d6a6092e29b184828da66b3f194ab0e
diff --git a/patch/0049-containerd-fix-possible-panic-from-WithMediaTypeKeyPref.patch b/patch/0049-containerd-fix-possible-panic-from-WithMediaTypeKeyPref.patch
new file mode 100644
index 0000000000000000000000000000000000000000..70f71dbb7e5e64b4647267b300de65b8bb9a971c
--- /dev/null
+++ b/patch/0049-containerd-fix-possible-panic-from-WithMediaTypeKeyPref.patch
@@ -0,0 +1,40 @@
+From c6aa3a443df8f96d87af6de40ca7d29d759cc946 Mon Sep 17 00:00:00 2001
+From: Tonis Tiigi <tonistiigi@gmail.com>
+Date: Tue, 11 Nov 2025 22:15:15 -0800
+Subject: [PATCH] remotes: fix possible panic from WithMediaTypeKeyPrefix
+
+As the same instance of a map is used in context and mutated
+directly, this leads to a  situation where:
+- Calling WithMediaTypeKeyPrefix from parallel goroutines where
+  the context was based on the same base context can trigger a panic.
+- A subcontext calling WithMediaTypeKeyPrefix changes the value for
+  another context when they both originate from the same base context.
+
+Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
+---
+ remotes/handlers.go | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/remotes/handlers.go b/remotes/handlers.go
+index 4d91ed2e5..0f41dae14 100644
+--- a/remotes/handlers.go
++++ b/remotes/handlers.go
+@@ -21,6 +21,7 @@ import (
+ 	"errors"
+ 	"fmt"
+ 	"io"
++	"maps"
+ 	"strings"
+ 	"sync"
+ 
+@@ -44,6 +45,7 @@ func WithMediaTypeKeyPrefix(ctx context.Context, mediaType, prefix string) conte
+ 	var values map[string]string
+ 	if v := ctx.Value(refKeyPrefix{}); v != nil {
+ 		values = v.(map[string]string)
++		values = maps.Clone(values)
+ 	} else {
+ 		values = make(map[string]string)
+ 	}
+-- 
+2.33.0
+
diff --git a/series.conf b/series.conf
index 5adb4fa744c83a643d4065b745adf4be5f6c3164..64e6ca3192549ccbc497ed0b54b891394fb48910 100644
--- a/series.conf
+++ b/series.conf
@@ -45,3 +45,4 @@ patch/0045-containerd-Fix-ctr-snapshot-mount-produce-invalid-mount-command.patch
 patch/0046-containerd-cri-Fix-userns-with-Dockerfile-VOLUME-mounts.patch
 patch/0047-containerd-fix-CVE-2024-25621.patch
 patch/0048-containerd-fix-CVE-2025-64329.patch
+patch/0049-containerd-fix-possible-panic-from-WithMediaTypeKeyPref.patch