diff --git a/backport-Enumerate-object-with-escaped-characters-in-name.patch b/backport-Enumerate-object-with-escaped-characters-in-name.patch
new file mode 100644
index 0000000000000000000000000000000000000000..67c04b292f062e00847d1a24badc6950793739ec
--- /dev/null
+++ b/backport-Enumerate-object-with-escaped-characters-in-name.patch
@@ -0,0 +1,58 @@
+From 158b4cdb7ac62fde1280f50a5d678f80d0e99015 Mon Sep 17 00:00:00 2001
+From: Tomas Halman <thalman@redhat.com>
+Date: Thu, 13 Mar 2025 17:37:51 +0100
+Subject: [PATCH] Enumerate object with escaped characters in name
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This patch fixes enumeration when DN in LDAP server
+contains special characters.
+
+The libldb expects that '\' is followed by two hex digits
+in filter. Strings like '\#' must be sanitized into '\5c#'
+before they are used for searching.
+
+Resolves: https://github.com/SSSD/sssd/issues/7876
+
+Reviewed-by: Alejandro López <allopez@redhat.com>
+Reviewed-by: Dan Lavu <dlavu@redhat.com>
+---
+ src/db/sysdb_search.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c
+index 7f34ddbcb..fdcbdc1eb 100644
+--- a/src/db/sysdb_search.c
++++ b/src/db/sysdb_search.c
+@@ -814,6 +814,7 @@ static errno_t sysdb_enum_dn_filter(TALLOC_CTX *mem_ctx,
+ {
+     TALLOC_CTX *tmp_ctx = NULL;
+     char *dn_filter;
++    char *sanitized_dn;
+     errno_t ret;
+ 
+     if (ts_res->count == 0) {
+@@ -844,11 +845,18 @@ static errno_t sysdb_enum_dn_filter(TALLOC_CTX *mem_ctx,
+     }
+ 
+     for (size_t i = 0; i < ts_res->count; i++) {
++        ret = sss_filter_sanitize(tmp_ctx,
++                                     ldb_dn_get_linearized(ts_res->msgs[i]->dn),
++                                     &sanitized_dn);
++        if (ret != EOK) {
++            goto done;
++        }
+         dn_filter = talloc_asprintf_append(
+                                   dn_filter,
+                                   "(%s=%s)",
+                                   SYSDB_DN,
+-                                  ldb_dn_get_linearized(ts_res->msgs[i]->dn));
++                                  sanitized_dn);
++        talloc_free(sanitized_dn);
+         if (dn_filter == NULL) {
+             ret = ENOMEM;
+             goto done;
+-- 
+2.33.0
+
diff --git a/backport-RESPONDER-skip-mem-cache-invalidation.patch b/backport-RESPONDER-skip-mem-cache-invalidation.patch
new file mode 100644
index 0000000000000000000000000000000000000000..5847fbe13eb372ae9b4a9266bfa60e42833d5022
--- /dev/null
+++ b/backport-RESPONDER-skip-mem-cache-invalidation.patch
@@ -0,0 +1,59 @@
+From 0fc6768c6ae1d788d53981d4d01e562b38c1ed00 Mon Sep 17 00:00:00 2001
+From: Alexey Tikhonov <atikhono@redhat.com>
+Date: Tue, 3 Jun 2025 12:31:31 +0200
+Subject: [PATCH] RESPONDER: skip mem-cache invalidation
+
+if mem-cache is explicitly disabled
+
+Resolves: https://github.com/SSSD/sssd/issues/7981
+
+Reviewed-by: Justin Stephenson <jstephen@redhat.com>
+---
+ src/responder/nss/nss_get_object.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/src/responder/nss/nss_get_object.c b/src/responder/nss/nss_get_object.c
+index 29f9cb59b..073f3ebbc 100644
+--- a/src/responder/nss/nss_get_object.c
++++ b/src/responder/nss/nss_get_object.c
+@@ -34,12 +34,21 @@ memcache_delete_entry_by_name(struct nss_ctx *nss_ctx,
+ 
+     switch (type) {
+     case SSS_MC_PASSWD:
++        if (nss_ctx->pwd_mc_ctx == NULL) { /* mem-cache disabled */
++            return EOK;
++        }
+         ret = sss_mmap_cache_pw_invalidate(nss_ctx->pwd_mc_ctx, name);
+         break;
+     case SSS_MC_GROUP:
++        if (nss_ctx->grp_mc_ctx == NULL) { /* mem-cache disabled */
++            return EOK;
++        }
+         ret = sss_mmap_cache_gr_invalidate(nss_ctx->grp_mc_ctx, name);
+         break;
+     case SSS_MC_INITGROUPS:
++        if (nss_ctx->initgr_mc_ctx == NULL) { /* mem-cache disabled */
++            return EOK;
++        }
+         ret = sss_mmap_cache_initgr_invalidate(nss_ctx->initgr_mc_ctx, name);
+         break;
+     default:
+@@ -66,9 +75,15 @@ memcache_delete_entry_by_id(struct nss_ctx *nss_ctx,
+ 
+     switch (type) {
+     case SSS_MC_PASSWD:
++        if (nss_ctx->pwd_mc_ctx == NULL) { /* mem-cache disabled */
++            return EOK;
++        }
+         ret = sss_mmap_cache_pw_invalidate_uid(nss_ctx->pwd_mc_ctx, (uid_t)id);
+         break;
+     case SSS_MC_GROUP:
++        if (nss_ctx->grp_mc_ctx == NULL) { /* mem-cache disabled */
++            return EOK;
++        }
+         ret = sss_mmap_cache_gr_invalidate_gid(nss_ctx->grp_mc_ctx, (gid_t)id);
+         break;
+     default:
+-- 
+2.33.0
+
diff --git a/sssd.spec b/sssd.spec
index a8d0aad75a94982c1ba39b4c87395008fd7747e8..9f2048b3bf5e8b262bd7bd3e151e7040b1065db8 100644
--- a/sssd.spec
+++ b/sssd.spec
@@ -1,6 +1,6 @@
 Name: sssd
 Version: 2.2.2
-Release: 22
+Release: 23
 Summary: System Security Services Daemon
 License: GPLv3+ and LGPLv3+
 URL: https://pagure.io/SSSD/sssd/
@@ -24,6 +24,8 @@ Patch14: backport-TOOLS-mistype-fix.patch
 Patch15: backport-Make-sure-invalid-krb5-context-is-not-used.patch
 Patch16: backport-SSS_CLIENT-MC-simplify-logic-and.patch
 Patch17: backport-fix-CVE-2025-11561.patch
+Patch18: backport-Enumerate-object-with-escaped-characters-in-name.patch
+Patch19: backport-RESPONDER-skip-mem-cache-invalidation.patch
 
 Requires: python3-sssd = %{version}-%{release}
 Requires: libldb
@@ -597,6 +599,9 @@ fi
                                 %{_libdir}/%{name}/modules/libwbclient.so
 
 %changelog
+* Wed Dec 10 2025 fuanan <fuanan3@h-partners.com> - 2.2.2-23
+- backport upstream patches
+
 * Mon Oct 20 2025 xuraoqing <xuraoqing@h-partners.com> - 2.2.2-22
 - fix CVE-2025-11561