diff --git a/0001-Fix-invalid-nullptr-dereference-in-TagSection.keys.patch b/0001-Fix-invalid-nullptr-dereference-in-TagSection.keys.patch
new file mode 100644
index 0000000000000000000000000000000000000000..ea3a9710ed7986163d3c118b046de57ceb269eb3
--- /dev/null
+++ b/0001-Fix-invalid-nullptr-dereference-in-TagSection.keys.patch
@@ -0,0 +1,52 @@
+From 1874a7fd1ff38423d76ff0352e808f70e9bd19cd Mon Sep 17 00:00:00 2001
+From: Julian Andres Klode <julian.klode@canonical.com>
+Date: Mon, 16 Dec 2024 12:57:28 +0100
+Subject: [PATCH] Fix invalid nullptr dereference in TagSection.keys()
+
+If a key is not valid UTF-8, PyString_FromStringAndSize() returned
+nullptr, which we subsequently passed to PyList_Append() and
+Py_DECREF(), the latter trying to dereference it and causing a
+segmentation fault.
+
+LP: #2091865
+---
+ python/tag.cc         | 6 ++++--
+ tests/test_tagfile.py | 5 +++++
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/python/tag.cc b/python/tag.cc
+index 691b67f5..98c9b170 100644
+--- a/python/tag.cc
++++ b/python/tag.cc
+@@ -280,8 +280,10 @@ static PyObject *TagSecKeys(PyObject *Self,PyObject *Args)
+       const char *End = Start;
+       for (; End < Stop && *End != ':'; End++);
+ 
+-      PyObject *Obj;
+-      PyList_Append(List,Obj = PyString_FromStringAndSize(Start,End-Start));
++      PyObject *Obj = PyString_FromStringAndSize(Start, End-Start);
++      if (Obj == nullptr)
++          return Py_DECREF(List), nullptr;
++      PyList_Append(List, Obj);
+       Py_DECREF(Obj);
+    }
+    return List;
+diff --git a/tests/test_tagfile.py b/tests/test_tagfile.py
+index bf2e4d9e..49a75729 100644
+--- a/tests/test_tagfile.py
++++ b/tests/test_tagfile.py
+@@ -136,6 +136,11 @@ class TestTagSection(testcommon.TestCase):
+     def tearDown(self):
+         shutil.rmtree(self.temp_dir)
+ 
++    def test_invalid_unicode_key(self):
++        ts = apt_pkg.TagSection(b"T\xc3st: Value\n", bytes=True)
++        self.assertEqual(len(ts), 1)
++        self.assertRaises(UnicodeDecodeError, ts.keys)
++
+     def test_write(self):
+         ts = apt_pkg.TagSection("a: 1\nb: 2\nc: 3\n")
+         outpath = os.path.join(self.temp_dir, "test")
+-- 
+2.45.2
+
diff --git a/python-apt.spec b/python-apt.spec
index f1fbe565cab0d9b0726e17676e054a20854a1c1c..272324080f0a39a5466924acf70b02f3f3d10eab 100644
--- a/python-apt.spec
+++ b/python-apt.spec
@@ -2,11 +2,12 @@
 
 Name:           python-apt
 Version:        2.3.0
-Release:    2%{?dist}
+Release:        3%{?dist}
 Summary:        Python bindings for APT
 License:        GPLv2+
 URL:            https://tracker.debian.org/pkg/python-apt
 Source0:        https://salsa.debian.org/apt-team/%{name}/-/archive/%{version}/%{name}-%{version}.tar.gz
+Patch0001:      0001-Fix-invalid-nullptr-dereference-in-TagSection.keys.patch
 
 BuildRequires:  apt-devel >= 2.0.0
 BuildRequires:  gcc
@@ -65,6 +66,10 @@ rm -rf %{buildroot}%{python3_sitelib}/apt_*-stubs*
 
 
 %changelog
+* Fri Dec 26 2025 bbrucezhang <bbrucezhang@tencent.com> - 2.3.0-3
+- [Type] security
+- [DESC] Fix CVE-2025-6966
+
 * Wed Jun 11 2025 bbrucezhang <bbrucezhang@tencent.com> - 2.3.0-2
 - Rebuilt for loongarch64