diff --git a/backport-Fix-crash-on-empty-TXT-records.patch b/backport-Fix-crash-on-empty-TXT-records.patch
new file mode 100644
index 0000000000000000000000000000000000000000..82d18f844cdec2b4cfea887c46fe5b5faab33ebf
--- /dev/null
+++ b/backport-Fix-crash-on-empty-TXT-records.patch
@@ -0,0 +1,37 @@
+From 6a7877183ef668d3b52df1f2926acc8be6f1c475 Mon Sep 17 00:00:00 2001
+From: David Zhou <david.zhou@dell.com>
+Date: Fri, 24 May 2024 02:40:06 +0000
+Subject: [PATCH] Fix crash on empty TXT records
+
+In k5_try_realm_txt_rr(), error out if the first text string in a TXT
+record is empty or if its length exceeds the record length.
+
+This function is only used when dns_lookup_realm is set to true in
+krb5.conf.  An alternative implementation is used on Windows.
+
+[ghudson@mit.edu: moved zero-length check and added upper bound check;
+rewrote commit message]
+
+ticket: 9174 (new)
+---
+ src/lib/krb5/os/dnsglue.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/src/lib/krb5/os/dnsglue.c b/src/lib/krb5/os/dnsglue.c
+index 5da550c1e86..fd403aa752e 100644
+--- a/src/lib/krb5/os/dnsglue.c
++++ b/src/lib/krb5/os/dnsglue.c
+@@ -470,12 +470,10 @@ k5_try_realm_txt_rr(krb5_context context, const char *prefix, const char *name,
+     }
+ 
+     ret = krb5int_dns_nextans(ds, &base, &rdlen);
+-    if (ret < 0 || base == NULL)
++    if (ret < 0 || rdlen < 2 || *base == 0 || *base > rdlen - 1)
+         goto errout;
+ 
+     p = base;
+-    if (!INCR_OK(base, rdlen, p, 1))
+-        goto errout;
+     len = *p++;
+     *realm = malloc((size_t)len + 1);
+     if (*realm == NULL) {
diff --git a/backport-Simplify-preauth-fallback-disabling.patch b/backport-Simplify-preauth-fallback-disabling.patch
new file mode 100644
index 0000000000000000000000000000000000000000..0332c988dfa2b895d5a74c1c1ed9044e84ed96a3
--- /dev/null
+++ b/backport-Simplify-preauth-fallback-disabling.patch
@@ -0,0 +1,86 @@
+From df70aed645da58698466f5a8811a75873b85b5b2 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Mon, 12 May 2025 16:21:05 -0400
+Subject: [PATCH] Simplify preauth fallback disabling
+
+Remove the fallback_disabled field from krb5_init_creds_context, and
+instead record the current preauth type as the only allowed preauth
+type when a preauth module invokes the disable_fallback() method.
+
+The previous method failed to prevent fallback when a KDC unexpectedly
+responds with PREAUTH_REQUIRED partway through the preauth exchange.
+Reported by Richard Silverman.
+---
+ src/lib/krb5/krb/get_in_tkt.c     | 3 ---
+ src/lib/krb5/krb/init_creds_ctx.h | 2 +-
+ src/lib/krb5/krb/preauth2.c       | 7 ++++++-
+ 3 files changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
+index 4b2be41e75d..00a5cceea5a 100644
+--- a/src/lib/krb5/krb/get_in_tkt.c
++++ b/src/lib/krb5/krb/get_in_tkt.c
+@@ -1331,9 +1331,6 @@ init_creds_step_request(krb5_context context,
+     /* Don't continue after a keyboard interrupt. */
+     if (code == KRB5_LIBOS_PWDINTR)
+         goto cleanup;
+-    /* Don't continue if fallback is disabled. */
+-    if (code && ctx->fallback_disabled)
+-        goto cleanup;
+     if (code) {
+         /* See if we can try a different preauth mech before giving up. */
+         k5_save_ctx_error(context, code, &save);
+diff --git a/src/lib/krb5/krb/init_creds_ctx.h b/src/lib/krb5/krb/init_creds_ctx.h
+index 17d55dd7c4c..710b77810b2 100644
+--- a/src/lib/krb5/krb/init_creds_ctx.h
++++ b/src/lib/krb5/krb/init_creds_ctx.h
+@@ -63,9 +63,9 @@ struct _krb5_init_creds_context {
+     krb5_enctype etype;
+     krb5_boolean info_pa_permitted;
+     krb5_boolean restarted;
+-    krb5_boolean fallback_disabled;
+     krb5_boolean encts_disabled;
+     struct krb5_responder_context_st rctx;
++    krb5_preauthtype current_preauth_type;
+     krb5_preauthtype selected_preauth_type;
+     krb5_preauthtype allowed_preauth_type;
+     k5_json_object cc_config_in;
+diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c
+index 32f35b76158..b5ef6c61650 100644
+--- a/src/lib/krb5/krb/preauth2.c
++++ b/src/lib/krb5/krb/preauth2.c
+@@ -552,7 +552,9 @@ set_cc_config(krb5_context context, krb5_clpreauth_rock rock,
+ static void
+ disable_fallback(krb5_context context, krb5_clpreauth_rock rock)
+ {
+-    ((krb5_init_creds_context)rock)->fallback_disabled = TRUE;
++    krb5_init_creds_context ctx = (krb5_init_creds_context)rock;
++
++    ctx->allowed_preauth_type = ctx->current_preauth_type;
+ }
+ 
+ static struct krb5_clpreauth_callbacks_st callbacks = {
+@@ -676,6 +678,7 @@ process_pa_data(krb5_context context, krb5_init_creds_context ctx,
+             if (real && previously_failed(ctx, pa->pa_type))
+                 continue;
+             mod_pa = NULL;
++            ctx->current_preauth_type = pa->pa_type;
+             ret = clpreauth_process(context, h, modreq, ctx->opt, &callbacks,
+                                     (krb5_clpreauth_rock)ctx, ctx->request,
+                                     ctx->inner_request_body,
+@@ -908,6 +911,7 @@ k5_preauth_tryagain(krb5_context context, krb5_init_creds_context ctx,
+     if (h == NULL)
+         return KRB5KRB_ERR_GENERIC;
+     mod_pa = NULL;
++    ctx->current_preauth_type = pa_type;
+     ret = clpreauth_tryagain(context, h, modreq, ctx->opt, &callbacks,
+                              (krb5_clpreauth_rock)ctx, ctx->request,
+                              ctx->inner_request_body,
+@@ -954,6 +958,7 @@ fill_response_items(krb5_context context, krb5_init_creds_context ctx,
+         h = find_module(context, ctx, pa->pa_type, &modreq);
+         if (h == NULL)
+             continue;
++        ctx->current_preauth_type = pa->pa_type;
+         ret = clpreauth_prep_questions(context, h, modreq, ctx->opt,
+                                        &callbacks, (krb5_clpreauth_rock)ctx,
+                                        ctx->request, ctx->inner_request_body,
diff --git a/krb5.spec b/krb5.spec
index e72c97fcca0de8fbdb7c654182445fd151ee5d3f..4321f0d11de3751fba6d466022bb2d4600344ae3 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -3,7 +3,7 @@
 
 Name:     krb5
 Version:  1.21.2
-Release:  18
+Release:  19
 Summary:  The Kerberos network authentication protocol
 License:  MIT
 URL:      http://web.mit.edu/kerberos/www/
@@ -60,6 +60,8 @@ Patch36: backport-Fix-correctness-in-LDAP-delegation-ACL-checking.patch
 Patch37: backport-Fix-kdb5_util-ark-with-no-e-option.patch
 Patch38: backport-Fix-typo-in-AS-REQ-client-code.patch
 Patch39: backport-Fix-error-handling-in-pkinit_server_verify_padata.patch
+Patch40: backport-Fix-crash-on-empty-TXT-records.patch
+Patch41: backport-Simplify-preauth-fallback-disabling.patch
 
 BuildRequires:  gettext
 BuildRequires:  gcc make automake autoconf pkgconfig pam-devel libselinux-devel byacc
@@ -344,6 +346,9 @@ make -C src check || :
 %{_mandir}/man8/*
 
 %changelog
+* Mon Dec 15 2025 yanglongkang <yanglongkang@h-partners.com> - 1.21.2-19
+- backport patches to fix bugs
+
 * Tue Nov 18 2025 zhangyaqi <zhangyaqi@kylinos.cn> - 1.21.2-18
 - Delete the last submitted patch