diff --git a/0048-fix-CVE-2024-57360.patch b/0048-fix-CVE-2024-57360.patch
new file mode 100644
index 0000000000000000000000000000000000000000..ff1c69edcb320e150ab88188b4e56e1099f88b8a
--- /dev/null
+++ b/0048-fix-CVE-2024-57360.patch
@@ -0,0 +1,59 @@
+diff --git a/binutils/nm.c b/binutils/nm.c
+index f96cfa31..99910f47 100644
+--- a/binutils/nm.c
++++ b/binutils/nm.c
+@@ -677,7 +677,7 @@ print_symname (const char *form, struct extended_symbol_info *info,
+ 	       const char *name, bfd *abfd)
+ {
+   char *alloc = NULL;
+-  char *atver = NULL;
++  char *atname = NULL;
+ 
+   if (name == NULL)
+     name = info->sinfo->name;
+@@ -685,9 +685,18 @@ print_symname (const char *form, struct extended_symbol_info *info,
+   if (!with_symbol_versions
+       && bfd_get_flavour (abfd) == bfd_target_elf_flavour)
+     {
+-      atver = strchr (name, '@');
++      char *atver = strchr (name, '@');
+       if (atver)
+-	*atver = 0;
++        {
++          /* PR 32467 - Corrupt binaries might include an @ character in a
++             symbol name.  Since non-versioned symbol names can be in
++             read-only memory (via memory mapping of a file's contents) we
++             cannot just replace the @ character with a NUL.  Instead we
++             create a truncated copy of the name.  */
++          atname = xstrdup (name);
++          atname [atver - name] = 0;
++          name = atname;
++        }
+     }
+ 
+   if (do_demangle && *name)
+@@ -698,9 +707,7 @@ print_symname (const char *form, struct extended_symbol_info *info,
+     }
+ 
+   if (unicode_display != unicode_default)
+-    {
+-      name = convert_utf8 (name);
+-    }
++    name = convert_utf8 (name);
+ 
+   if (info != NULL && info->elfinfo && with_symbol_versions)
+     {
+@@ -721,8 +728,8 @@ print_symname (const char *form, struct extended_symbol_info *info,
+ 	}
+     }
+   printf (form, name);
+-  if (atver)
+-    *atver = '@';
++
++  free (atname);
+   free (alloc);
+ }
+ 
+-- 
+2.43.5
+
diff --git a/binutils.spec b/binutils.spec
index cc8f4a59437a00f756f1b61273072fb14f28e2a3..c8fa988ada97b6622abe8792e72577628726ec24 100644
--- a/binutils.spec
+++ b/binutils.spec
@@ -1,4 +1,4 @@
-%define anolis_release 12
+%define anolis_release 13
 # Determine if this is a native build or a cross build.
 #
 # For a cross build add  --define "binutils_target <target>" to the command
@@ -378,6 +378,9 @@ Patch0046: 0046-Support-x86-Zhaoxin-GMI-PadLock.patch
 # https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=baac6c221e9d69335bf41366a1c7d87d8ab2f893
 Patch0047: fix-CVE-2025-0840.patch
 
+# https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=5f8987d3999edb26e757115fe87be55787d510b9
+Patch0048: 0048-fix-CVE-2024-57360.patch
+
 # Purpose:  Suppress the x86 linker's p_align-1 tests due to kernel bug on CentOS-10
 # Lifetime: TEMPORARY
 Patch0099: 0099-binutils-suppress-ld-align-tests.patch
@@ -1157,6 +1160,9 @@ exit 0
 %doc README ChangeLog MAINTAINERS README-maintainer-mode
 
 %changelog
+* Wed Oct 22 2025 wh02252983 <wh02252983@alibaba-inc.com> - 2.41-13
+- add patch to fix CVE-2024-57360
+
 * Tue Aug 26 2025 mgb01105731 <mgb01105731@alibaba-inc.com> - 2.41-12
 - Add patch to fix CVE-2025-0840