diff --git a/SPECS/netavark/CVE-2026-25541.patch b/SPECS/netavark/CVE-2026-25541.patch
new file mode 100644
index 00000000000..53af3597176
--- /dev/null
+++ b/SPECS/netavark/CVE-2026-25541.patch
@@ -0,0 +1,107 @@
+From eac0ec6e37e65707bf5c171206d880e206c5dad3 Mon Sep 17 00:00:00 2001
+From: AllSpark <allspark@microsoft.com>
+Date: Thu, 12 Feb 2026 18:27:10 +0000
+Subject: [PATCH] vendor/bytes: check overflow in new_cap + offset and add test
+
+- Add miri.sh run with wrapping overflow
+- Always check overflow in new_cap + offset during reserve and use computed value
+- Update debug asserts and pointer math to use existing offset
+- Add test to repro integer overflow in reserve
+
+Signed-off-by: AllSpark <allspark@microsoft.com>
+Signed-off-by: rpm-build <rpm-build>
+Upstream-reference: AI Backport of https://github.com/tokio-rs/bytes/commit/d0293b0e35838123c51ca5dfdf468ecafee4398f.patch
+---
+ vendor/bytes/ci/miri.sh          |  4 ++++
+ vendor/bytes/src/bytes_mut.rs    | 17 ++++++++---------
+ vendor/bytes/tests/test_bytes.rs | 14 ++++++++++++++
+ 3 files changed, 26 insertions(+), 9 deletions(-)
+
+diff --git a/vendor/bytes/ci/miri.sh b/vendor/bytes/ci/miri.sh
+index 0158756..da597a6 100755
+--- a/vendor/bytes/ci/miri.sh
++++ b/vendor/bytes/ci/miri.sh
+@@ -9,3 +9,7 @@ export MIRIFLAGS="-Zmiri-strict-provenance"
+ 
+ cargo miri test
+ cargo miri test --target mips64-unknown-linux-gnuabi64
++
++
++# run with wrapping integer overflow instead of panic
++cargo miri test --release
+diff --git a/vendor/bytes/src/bytes_mut.rs b/vendor/bytes/src/bytes_mut.rs
+index c5c2e52..74c0302 100644
+--- a/vendor/bytes/src/bytes_mut.rs
++++ b/vendor/bytes/src/bytes_mut.rs
+@@ -668,9 +668,11 @@ impl BytesMut {
+ 
+                 let offset = offset_from(self.ptr.as_ptr(), ptr);
+ 
++                let new_cap_plus_offset = new_cap.checked_add(offset).expect("overflow");
++
+                 // Compare the condition in the `kind == KIND_VEC` case above
+                 // for more details.
+-                if v_capacity >= new_cap + offset {
++                if v_capacity >= new_cap_plus_offset {
+                     self.cap = new_cap;
+                     // no copy is necessary
+                 } else if v_capacity >= new_cap && offset >= len {
+@@ -683,14 +685,11 @@ impl BytesMut {
+                     self.ptr = vptr(ptr);
+                     self.cap = v.capacity();
+                 } else {
+-                    // calculate offset
+-                    let off = (self.ptr.as_ptr() as usize) - (v.as_ptr() as usize);
+-
+                     // new_cap is calculated in terms of `BytesMut`, not the underlying
+                     // `Vec`, so it does not take the offset into account.
+                     //
+                     // Thus we have to manually add it here.
+-                    new_cap = new_cap.checked_add(off).expect("overflow");
++                    new_cap = new_cap_plus_offset;
+ 
+                     // The vector capacity is not sufficient. The reserve request is
+                     // asking for more than the initial buffer capacity. Allocate more
+@@ -712,13 +711,13 @@ impl BytesMut {
+                     // the unused capacity of the vector is copied over to the new
+                     // allocation, so we need to ensure that we don't have any data we
+                     // care about in the unused capacity before calling `reserve`.
+-                    debug_assert!(off + len <= v.capacity());
+-                    v.set_len(off + len);
++                    debug_assert!(offset + len <= v.capacity());
++                    v.set_len(offset + len);
+                     v.reserve(new_cap - v.len());
+ 
+                     // Update the info
+-                    self.ptr = vptr(v.as_mut_ptr().add(off));
+-                    self.cap = v.capacity() - off;
++                    self.ptr = vptr(v.as_mut_ptr().add(offset));
++                    self.cap = v.capacity() - offset;
+                 }
+ 
+                 return;
+diff --git a/vendor/bytes/tests/test_bytes.rs b/vendor/bytes/tests/test_bytes.rs
+index 5ec60a5..95fbcda 100644
+--- a/vendor/bytes/tests/test_bytes.rs
++++ b/vendor/bytes/tests/test_bytes.rs
+@@ -1208,3 +1208,17 @@ fn test_bytes_capacity_len() {
+         }
+     }
+ }
++
++#[test]
++#[should_panic]
++fn bytes_mut_reserve_overflow() {
++    let mut a = BytesMut::from(&b"hello world"[..]);
++    let mut b = a.split_off(5);
++    // Ensure b becomes the unique owner of the backing storage
++    drop(a);
++    // Trigger overflow in new_cap + offset inside reserve
++    b.reserve(usize::MAX - 6);
++    // This call relies on the corrupted cap and may cause UB & HBO
++    b.put_u8(b'h');
++}
++
+-- 
+2.45.4
+
diff --git a/SPECS/netavark/netavark.spec b/SPECS/netavark/netavark.spec
index 03236861d88..7477e85aafa 100644
--- a/SPECS/netavark/netavark.spec
+++ b/SPECS/netavark/netavark.spec
@@ -11,7 +11,7 @@
 
 Name:          netavark
 Version:       1.10.3
-Release:       5%{?dist}
+Release:       6%{?dist}
 Summary:       OCI network stack
 License:       ASL 2.0 and BSD and MIT
 Vendor:        Microsoft Corporation
@@ -19,6 +19,7 @@ Distribution:   Azure Linux
 URL:           https://github.com/containers/%{name}
 Source0:       %{url}/archive/%{built_tag}/%{version}.tar.gz#/%{name}-%{version}.tar.gz
 Source1:       %{url}/releases/download/%{built_tag}/%{name}-%{built_tag}-vendor.tar.gz
+Patch0:        CVE-2026-25541.patch
 BuildRequires: cargo < 1.85.0
 BuildRequires: make
 BuildRequires: protobuf-c
@@ -225,6 +226,9 @@ popd
 %{_unitdir}/%{name}-firewalld-reload.service
 
 %changelog
+* Thu Feb 12 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.10.3-6
+- Patch for CVE-2026-25541
+
 * Mon Feb 02 2026 Archana Shettigar <v-shettigara@microsoft.com> - 1.10.3-5
 - Bump release to rebuild with rust