diff --git a/0031-lib-nvmf-limit-number-of-NVMe-oF-registrants-when-up.patch b/0031-lib-nvmf-limit-number-of-NVMe-oF-registrants-when-up.patch
new file mode 100644
index 0000000000000000000000000000000000000000..c35bc1bfaa475fde68c0698ec4011830717cb6f7
--- /dev/null
+++ b/0031-lib-nvmf-limit-number-of-NVMe-oF-registrants-when-up.patch
@@ -0,0 +1,94 @@
+From cfac20da65da7391a79125e444d30dae3909654c Mon Sep 17 00:00:00 2001
+From: Tomasz Zawadzki <tomasz.zawadzki@nutanix.com>
+Date: Thu, 6 Nov 2025 03:49:34 +0800
+Subject: [PATCH] [Backport]NVMF: lib nvmf limit number of NVMe-oF registrants when up
+ PTPL info
+ 
+Limit the number of NVMe-oF registrants that are kept when using PTPL (Persist through power loss).
+ 
+Change-Id: I5207652b4a6e7313b3b4dbee212aa2be692d8b59
+Signed-off-by: Joel Cunningham <joel.cunningham@oracle.com>
+Reported-by: Joel Cunningham <joel.cunningham@oracle.com>
+Signed-off-by: Tomasz Zawadzki <tomasz.zawadzki@nutanix.com>
+Reviewed-on: https://review.spdk.io/c/spdk/spdk/+/26777
+Tested-by: SPDK Automated Test System <spdkbot@gmail.com>
+Reviewed-by: Konrad Sztyber <ksztyber@nvidia.com>
+Reviewed-by: Jacek Kalwas <jacek.kalwas@nutanix.com>
+Adapted-by: Jing SiXiang <jingsixiang1@h-partners.com>
+ 
+Reference:https://gitee.com/src-openeuler/spdk/commit/1deb6ee549ad8193718a2fe17891fa6bb8a5a79d
+Conflict:no
+---
+ lib/nvmf/subsystem.c                          | 11 +++++---
+ test/unit/lib/nvmf/subsystem.c/subsystem_ut.c | 26 +++++++++++++++++++
+ 2 files changed, 34 insertions(+), 3 deletions(-)
+ 
+diff --git a/lib/nvmf/subsystem.c b/lib/nvmf/subsystem.c
+index 5729524..9f94e0d 100644
+--- a/lib/nvmf/subsystem.c
++++ b/lib/nvmf/subsystem.c
+@@ -1994,9 +1994,14 @@ nvmf_ns_update_reservation_info(struct spdk_nvmf_ns *ns)
+ 	}
+ 
+ 	TAILQ_FOREACH_SAFE(reg, &ns->registrants, link, tmp) {
+-		spdk_uuid_fmt_lower(info.registrants[i].host_uuid, sizeof(info.registrants[i].host_uuid),
+-				    &reg->hostid);
+-		info.registrants[i++].rkey = reg->rkey;
++		if (i < SPDK_NVMF_MAX_NUM_REGISTRANTS) {
++			spdk_uuid_fmt_lower(info.registrants[i].host_uuid, sizeof(info.registrants[i].host_uuid),
++								&reg->hostid);
++ 			info.registrants[i++].rkey = reg->rkey;
++		} else {
++			SPDK_ERRLOG("More registrants that can fit into reservation info, truncating\n");
++			break;
++		}
+ 	}
+ 
+ 	info.num_regs = i;
+diff --git a/test/unit/lib/nvmf/subsystem.c/subsystem_ut.c b/test/unit/lib/nvmf/subsystem.c/subsystem_ut.c
+index df57241..c51a80b 100644
+--- a/test/unit/lib/nvmf/subsystem.c/subsystem_ut.c
++++ b/test/unit/lib/nvmf/subsystem.c/subsystem_ut.c
+@@ -1362,6 +1362,31 @@ test_spdk_nvmf_ns_event(void)
+ 	free(tgt.subsystems);
+ }
+ 
++static void
++test_nvmf_ns_reservation_add_max_registrants(void)
++{
++	ut_reservation_init();
++
++	struct spdk_nvmf_reservation_info info = {};
++	int rc;
++
++	/* Register 1 past the max */
++	uint32_t i = 0;
++	for (i = 0; i < SPDK_NVMF_MAX_NUM_REGISTRANTS + 1; i++) {
++		spdk_uuid_generate(&g_ctrlr1_A.hostid);
++		rc = nvmf_ns_reservation_add_registrant(&g_ns, &g_ctrlr1_A, 0xa11 + i);
++		CU_ASSERT(rc == 0);
++	}
++	/* Update the reservation info */
++	rc = nvmf_ns_update_reservation_info(&g_ns);
++	CU_ASSERT(rc == 0);
++	/* Validate that info is capped at max */
++	CU_ASSERT_EQUAL(info.num_regs, SPDK_NVMF_MAX_NUM_REGISTRANTS);
++	/* Clear should return max + 1 */
++	uint32_t cleared = nvmf_ns_reservation_clear_all_registrants(&g_ns);
++	CU_ASSERT_EQUAL(cleared, SPDK_NVMF_MAX_NUM_REGISTRANTS + 1);
++}
++
+ 
+ int main(int argc, char **argv)
+ {
+@@ -1387,6 +1412,7 @@ int main(int argc, char **argv)
+ 	CU_ADD_TEST(suite, test_reservation_clear_notification);
+ 	CU_ADD_TEST(suite, test_reservation_preempt_notification);
+ 	CU_ADD_TEST(suite, test_spdk_nvmf_ns_event);
++	CU_ADD_TEST(suite, test_nvmf_ns_reservation_add_max_registrants);
+ 
+ 	allocate_threads(1);
+ 	set_thread(0);
+-- 
+2.43.0
+ 
\ No newline at end of file
diff --git a/spdk.spec b/spdk.spec
index 81941eb9b47f121911f0237b09b0cb92a36fdd6b..7f8654e0a9a174caf7586398dd6c4f3d48210c53 100644
--- a/spdk.spec
+++ b/spdk.spec
@@ -3,7 +3,7 @@
 
 Name: spdk
 Version: 21.01.1
-Release: 17
+Release: 18
 Summary: Set of libraries and utilities for high performance user-mode storage
 License: BSD and MIT
 URL: http://spdk.io
@@ -38,6 +38,7 @@ Patch27: 0027--nvme-cuse-Add-ctrlr_lock-for-cuse-register-and-unreg.patch
 Patch28: 0028-fixed-use-after-free-detected-by-Coverity.patch
 Patch29: 0029-scripts-Do-msr-existence-check-only-on-x86_64-machin.patch
 Patch30: 0030-vhost-add-vhost-interrupt-coalescing-based-on-virtio.patch
+Patch31: 0031-lib-nvmf-limit-number-of-NVMe-oF-registrants-when-up.patch
 
 %define package_version %{version}-%{release}
 
@@ -208,6 +209,9 @@ mv doc/output/html/ %{install_docdir}
 
 
 %changelog
+* Wed Nov 5 2025 SiXiang Jing <jingsixiang1@h-partners.com> - 21.01.1-18
+- lib/nvmf: fix CVE-2025-57275
+
 * Sat May 10 2025 jiaqingtong <jiaqingtong@huawei.com> - 21.01.1-17
 - vhost: add vhost interrupt coalescing model