diff --git a/CVE-2025-1919.patch b/CVE-2025-1919.patch
new file mode 100644
index 0000000000000000000000000000000000000000..7959215d32c48632fb1094b337ac11fdc93b6a61
--- /dev/null
+++ b/CVE-2025-1919.patch
@@ -0,0 +1,78 @@
+From 54214171fceb920a4037a70ece60d478cd43e2d3 Mon Sep 17 00:00:00 2001
+From: zhaoshun <zhaoshun@cqsoftware.com.cn>
+Date: Tue, 29 Jul 2025 17:45:55 +0800
+Subject: [PATCH] CVE-2025-1919
+
+---
+ .../mojo/common/media_type_converters.cc      | 28 +++++++++++++++----
+ 1 file changed, 23 insertions(+), 5 deletions(-)
+
+diff --git a/src/3rdparty/chromium/media/mojo/common/media_type_converters.cc b/src/3rdparty/chromium/media/mojo/common/media_type_converters.cc
+index 933774836..f9e3ecc46 100644
+--- a/src/3rdparty/chromium/media/mojo/common/media_type_converters.cc
++++ b/src/3rdparty/chromium/media/mojo/common/media_type_converters.cc
+@@ -4,15 +4,15 @@
+ 
+ #include "media/mojo/common/media_type_converters.h"
+ 
+-#include <stddef.h>
+-#include <stdint.h>
+ #include <memory>
+ 
+ #include "base/logging.h"
++#include "base/numerics/checked_math.h"
+ #include "base/numerics/safe_conversions.h"
+ #include "media/base/audio_buffer.h"
+ #include "media/base/decoder_buffer.h"
+ #include "media/base/decrypt_config.h"
++#include "media/base/sample_format.h"
+ #include "media/base/subsample_entry.h"
+ #include "mojo/public/cpp/system/buffer.h"
+ 
+@@ -151,7 +151,7 @@ TypeConverter<scoped_refptr<media::AudioBuffer>, media::mojom::AudioBufferPtr>::
+       static_cast<size_t>(input->channel_layout) > media::CHANNEL_LAYOUT_MAX ||
+       ChannelLayoutToChannelCount(input->channel_layout) !=
+           input->channel_count) {
+-    LOG(ERROR) << "Receive an invalid audio buffer, replace it with EOS.";
++    DLOG(ERROR) << "Receive an invalid audio buffer, replace it with EOS.";
+     return media::AudioBuffer::CreateEOSBuffer();
+   }
+ 
+@@ -163,14 +163,32 @@ TypeConverter<scoped_refptr<media::AudioBuffer>, media::mojom::AudioBufferPtr>::
+         input->timestamp);
+   }
+ 
++  // Safe to cast, since we already checked `sample_format` doesn't exceed
++  // media::kSampleFormatMax above.
++  const size_t bytes_per_channel = SampleFormatToBytesPerChannel(
++      static_cast<media::SampleFormat>(input->sample_format));
++
++  // `bytes_per_channel` could be 0 if we received a kUnknownFormat. In that
++  // case, and in the case of a overflow below, `min_data_size` will be 0,
++  // and we will return an EOS below.
++  const size_t min_data_size =
++      base::CheckMul(input->frame_count,
++                     base::CheckMul(input->channel_count, bytes_per_channel))
++          .ValueOrDefault(0u);
++  if (input->data.size() < min_data_size) {
++    DLOG(ERROR) << "Received invalid AudioBuffer, replace it with EOS.";
++    return media::AudioBuffer::CreateEOSBuffer();
++  }
++
+   // Setup channel pointers.  AudioBuffer::CopyFrom() will only use the first
+   // one in the case of interleaved data.
+   std::vector<const uint8_t*> channel_ptrs(input->channel_count, nullptr);
+   const size_t size_per_channel = input->data.size() / input->channel_count;
+   DCHECK_EQ(0u, input->data.size() % input->channel_count);
+-  for (int i = 0; i < input->channel_count; ++i)
++  for (int i = 0; i < input->channel_count; ++i) {
+     channel_ptrs[i] = input->data.data() + i * size_per_channel;
+-
++  }
++  
+   return media::AudioBuffer::CopyFrom(
+       input->sample_format, input->channel_layout, input->channel_count,
+       input->sample_rate, input->frame_count, &channel_ptrs[0],
+-- 
+2.43.5
+
diff --git a/qt5-qtwebengine.spec b/qt5-qtwebengine.spec
index d2ddaec7ee2ebce0adce25678857811d676c0fd0..e5d0631cb4c63b5dd456f672590c03d768b65932 100644
--- a/qt5-qtwebengine.spec
+++ b/qt5-qtwebengine.spec
@@ -52,7 +52,7 @@
 Summary: Qt5 - QtWebEngine components
 Name:    qt5-qtwebengine
 Version: 5.15.16
-Release: 1
+Release: 2
 
 # See LICENSE.GPL LICENSE.LGPL LGPL_EXCEPTION.txt, for details
 # See also http://qt-project.org/doc/qt-5.0/qtdoc/licensing.html
@@ -121,6 +121,8 @@ Patch1001: riscv-qt5-qtwebengine.patch
 Patch1002: riscv-Fix-build-with-ffmpeg.patch
 Patch1003: riscv-qt5-webengine-ffmpeg7.patch
 
+Patch6000: CVE-2025-1919.patch
+
 BuildRequires: make
 BuildRequires: qt5-qtbase-devel
 BuildRequires: qt5-qtbase-private-devel
@@ -436,6 +438,8 @@ popd
 %patch -P1003 -p1 -b .riscv-Fix-build-with-ffmpeg
 %endif
 
+%patch6000 -p1
+
 # delete all "toolprefix = " lines from build/toolchain/linux/BUILD.gn, as we
 # never cross-compile in native Fedora RPMs, fixes ARM and aarch64 FTBFS
 sed -i -e '/toolprefix = /d' -e 's/\${toolprefix}//g' \
@@ -652,6 +656,9 @@ done
 
 
 %changelog
+* Wed Aug 13 2025 Zhang Yi <yizhang@cqsoftware.com.cn> - 5.15.16-2
+- fix CVE-2025-1919
+
 * Tue Apr 22 2025 Funda Wang <fundawang@yeah.net> - 5.15.16-1
 - update to 5.15.16