diff --git a/CVE-2025-5683.patch b/CVE-2025-5683.patch
new file mode 100644
index 0000000000000000000000000000000000000000..c82bfcbc9e063aa99abd928e906b09f1c0217fae
--- /dev/null
+++ b/CVE-2025-5683.patch
@@ -0,0 +1,43 @@
+From efd332516f510144927121fa749ce819b82ec633 Mon Sep 17 00:00:00 2001
+From: Samuel Gaist <samuel.gaist@idiap.ch>
+Date: Fri, 09 May 2025 17:12:49 +0200
+Subject: [PATCH] Fix validation issue for ICNS image
+
+The header validation logic could trigger an assert when an invalid ICNS
+image was loaded. This patch fixes the validation logic.
+
+Credit to OSS-Fuzz
+
+Fixes: QTBUG-136707
+Pick-to: 6.9 6.8 6.5
+Change-Id: I9571b9fd0b53d07ceee9792c9418472e949eff30
+Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
+---
+
+diff --git a/src/plugins/imageformats/icns/qicnshandler.cpp b/src/plugins/imageformats/icns/qicnshandler.cpp
+index 6cf74b2..501394d 100644
+--- a/src/plugins/imageformats/icns/qicnshandler.cpp
++++ b/src/plugins/imageformats/icns/qicnshandler.cpp
+@@ -324,8 +324,11 @@
+ 
+ static inline bool isBlockHeaderValid(const ICNSBlockHeader &header, quint64 bound = 0)
+ {
+-    return header.ostype != 0 && (bound == 0
+-                || qBound(quint64(ICNSBlockHeaderSize), quint64(header.length), bound) == header.length);
++    return header.ostype != 0 &&
++        (bound == 0 ||
++            // qBound can be used but requires checking the limits first
++            // this requires less operations
++            (ICNSBlockHeaderSize <= header.length && header.length <= bound));
+ }
+ 
+ static inline bool isIconCompressed(const ICNSEntry &icon)
+@@ -870,7 +873,7 @@
+             return false;
+ 
+         const qint64 blockDataOffset = device()->pos();
+-        if (!isBlockHeaderValid(blockHeader, ICNSBlockHeaderSize + filelength - blockDataOffset)) {
++        if (!isBlockHeaderValid(blockHeader, ICNSBlockHeaderSize - blockDataOffset + filelength)) {
+             qWarning("QICNSHandler::scanDevice(): Failed, bad header at pos %s. OSType \"%s\", length %u",
+                      QByteArray::number(blockDataOffset).constData(),
+                      nameFromOSType(blockHeader.ostype).constData(), blockHeader.length);
diff --git a/qt5-qtbase.spec b/qt5-qtbase.spec
index 9da3dd2a8573e24e5f768946860660d2bbf73aaa..b273d21eae0d60095a221fbdd4f85891259edef3 100644
--- a/qt5-qtbase.spec
+++ b/qt5-qtbase.spec
@@ -13,7 +13,7 @@
 Name:             qt5-qtbase
 Summary:          Core component of Qt toolkit
 Version:          5.11.1
-Release:          23
+Release:          24
 License:          LGPLv2 with exceptions or GPLv3 with exceptions
 Url:              http://qt-project.org/
 Source0:          https://download.qt.io/new_archive/qt/5.11/%{version}/submodules/qtbase-everywhere-src-%{version}.tar.xz
@@ -59,6 +59,7 @@ Patch6014:        qtbase5.11.1-CVE-2023-43114.patch
 Patch6015:        qtbase5.11.1-CVE-2023-51714.patch
 Patch6016:        CVE-2023-45935.patch
 Patch6017:        CVE-2025-5455-qtbase-5.15.patch
+Patch6018:        CVE-2025-5683.patch
 
 BuildRequires:    pkgconfig(libsystemd) cups-devel desktop-file-utils findutils
 BuildRequires:    libjpeg-devel libmng-devel libtiff-devel pkgconfig(alsa)
@@ -425,6 +426,9 @@ fi
 
 
 %changelog
+* Thu Oct 16 2025 yujingbo <yujingbo@kylinos.cn> - 5.11.1-24
+- fix CVE-2025-5683
+
 * Sat Jun 07 2025 Funda Wang <fundawang@yeah.net> - 5.11.1-23
 - fix CVE-2025-5455