diff --git a/0009-fix-CVE-2024-25621.patch b/0009-fix-CVE-2024-25621.patch
new file mode 100644
index 0000000000000000000000000000000000000000..2a074f09a6dcbcf000766912ab805576a8a87bc9
--- /dev/null
+++ b/0009-fix-CVE-2024-25621.patch
@@ -0,0 +1,99 @@
+From 0450f046e6942e513d0ebf1ef5c2aff13daa187f Mon Sep 17 00:00:00 2001
+From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
+Date: Mon, 27 Oct 2025 16:42:59 +0900
+Subject: [PATCH] Fix directory permissions
+
+- Create /var/lib/containerd with 0o700 (was: 0o711).
+- Create config.TempDir with 0o700 (was: 0o711).
+- Create /run/containerd/io.containerd.grpc.v1.cri with 0o700 (was: 0o755).
+- Create /run/containerd/io.containerd.sandbox.controller.v1.shim with 0o700 (was: 0o711).
+- Leave /run/containerd and /run/containerd/io.containerd.runtime.v2.task created with 0o711,
+  as required by userns-remapped containers.
+  /run/containerd/io.containerd.runtime.v2.task/<NS>/<ID> is created with:
+  - 0o700 for non-userns-remapped containers
+  - 0o710 for userns-remapped containers with the remapped root group as the owner group.
+
+Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
+(cherry picked from commit 51b0cf11dc5af7ed1919beba259e644138b28d96)
+Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
+---
+ pkg/cri/cri.go            |  8 ++++++++
+ runtime/v2/manager.go     |  2 ++
+ services/server/server.go | 14 ++++++++++++--
+ 3 files changed, 22 insertions(+), 2 deletions(-)
+
+diff --git a/pkg/cri/cri.go b/pkg/cri/cri.go
+index f89b23b..f226c25 100644
+--- a/pkg/cri/cri.go
++++ b/pkg/cri/cri.go
+@@ -19,6 +19,7 @@ package cri
+ import (
+ 	"flag"
+ 	"fmt"
++	"os"
+ 	"path/filepath"
+ 
+ 	"github.com/containerd/containerd"
+@@ -68,6 +69,13 @@ func initCRIService(ic *plugin.InitContext) (interface{}, error) {
+ 		return nil, fmt.Errorf("invalid plugin config: %w", err)
+ 	}
+ 
++	if err := os.MkdirAll(ic.State, 0700); err != nil {
++		return nil, err
++	}
++	// chmod is needed for upgrading from an older release that created the dir with 0755
++	if err := os.Chmod(ic.State, 0700); err != nil {
++		return nil, err
++	}
+ 	c := criconfig.Config{
+ 		PluginConfig:       *pluginConfig,
+ 		ContainerdRootDir:  filepath.Dir(ic.Root),
+diff --git a/runtime/v2/manager.go b/runtime/v2/manager.go
+index 1927cbb..1f26bbe 100644
+--- a/runtime/v2/manager.go
++++ b/runtime/v2/manager.go
+@@ -109,6 +109,8 @@ type ManagerConfig struct {
+ // NewShimManager creates a manager for v2 shims
+ func NewShimManager(ctx context.Context, config *ManagerConfig) (*ShimManager, error) {
+ 	for _, d := range []string{config.Root, config.State} {
++		// root:  the parent of this directory is created as 0700, not 0711.
++		// state: the parent of this directory is created as 0711 too, so as to support userns-remapped containers.
+ 		if err := os.MkdirAll(d, 0711); err != nil {
+ 			return nil, err
+ 		}
+diff --git a/services/server/server.go b/services/server/server.go
+index 28ce79a..c4607a1 100644
+--- a/services/server/server.go
++++ b/services/server/server.go
+@@ -82,16 +82,26 @@ func CreateTopLevelDirectories(config *srvconfig.Config) error {
+ 		return errors.New("root and state must be different paths")
+ 	}
+ 
+-	if err := sys.MkdirAllWithACL(config.Root, 0711); err != nil {
++	if err := sys.MkdirAllWithACL(config.Root, 0700); err != nil {
++		return err
++	}
++	// chmod is needed for upgrading from an older release that created the dir with 0o711
++	if err := os.Chmod(config.Root, 0700); err != nil {
+ 		return err
+ 	}
+ 
++	// For supporting userns-remapped containers, the state dir cannot be just mkdired with 0o700.
++	// Each of plugins creates a dedicated directory beneath the state dir with appropriate permission bits.
+ 	if err := sys.MkdirAllWithACL(config.State, 0711); err != nil {
+ 		return err
+ 	}
+ 
+ 	if config.TempDir != "" {
+-		if err := sys.MkdirAllWithACL(config.TempDir, 0711); err != nil {
++		if err := sys.MkdirAllWithACL(config.TempDir, 0700); err != nil {
++			return err
++		}
++		// chmod is needed for upgrading from an older release that created the dir with 0o711
++		if err := os.Chmod(config.Root, 0700); err != nil {
+ 			return err
+ 		}
+ 		if runtime.GOOS == "windows" {
+-- 
+2.43.0
+
diff --git a/k3s-containerd.spec b/k3s-containerd.spec
index 2e65bdb3dccb798057b45d9541e5fba8eceb1ac4..4e941aa9eb65c691529bba72b650ac9ab44e61dc 100644
--- a/k3s-containerd.spec
+++ b/k3s-containerd.spec
@@ -3,7 +3,7 @@
 %global version_suffix k3s1
 Version:        1.6.6
 Name:           k3s-containerd
-Release:        14
+Release:        15
 Summary:        An industry-standard container runtime
 License:        Apache-2.0
 URL:            https://github.com/k3s-io/containerd
@@ -20,6 +20,7 @@ Patch0005:      0005-fix-CVE-2023-39325.patch
 Patch0006:      0006-fix-CVE-2022-41723.patch
 Patch0007:      0007-fix-CVE-2024-24786.patch
 Patch0008:      0008-fix-CVE-2024-40635.patch
+Patch0009:      0009-fix-CVE-2024-25621.patch
 
 BuildRequires:  golang glibc-static make btrfs-progs-devel
 
@@ -84,6 +85,12 @@ cp -rf %{_builddir}/containerd-%{version}-%{version_suffix}/. %{buildroot}%{_lib
 
 
 %changelog
+* Wed Dec 10 2025 weiyucheng <weiyucheng@kylinos.cn> - 1.6.6-15
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC: fix CVE-2024-25621
+
 * Wed Dec 10 2025 weiyucheng <weiyucheng@kylinos.cn> - 1.6.6-14
 - Type:bugfix
 - CVE:NA