diff --git a/compat-openssl10-1.0.2o-CVE-2026-22796.patch b/compat-openssl10-1.0.2o-CVE-2026-22796.patch
new file mode 100644
index 0000000000000000000000000000000000000000..767c00260e1afbec070982b374738c77a4b7f9ea
--- /dev/null
+++ b/compat-openssl10-1.0.2o-CVE-2026-22796.patch
@@ -0,0 +1,58 @@
+From 572844beca95068394c916626a6d3a490f831a49 Mon Sep 17 00:00:00 2001
+From: Bob Beck <beck@openssl.org>
+Date: Wed, 7 Jan 2026 11:29:48 -0700
+Subject: [PATCH] Ensure ASN1 types are checked before use.
+
+Some of these were fixed by LibreSSL in commit https://github.com/openbsd/src/commit/aa1f637d454961d22117b4353f98253e984b3ba8
+this fix includes the other fixes in that commit, as well as fixes for others found by a scan
+for a similar unvalidated access paradigm in the tree.
+
+Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
+Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/29582)
+
+Adapted-by: PkgAgent (modified to adapt to opencloudos-stream)
+
+---
+ crypto/pkcs12/p12_kiss.c |   10 ++++++++--
+ crypto/pkcs7/pk7_doit.c  |    2 ++
+ 2 files changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/crypto/pkcs12/p12_kiss.c b/crypto/pkcs12/p12_kiss.c
+index 1841f78..1488214 100644
+--- a/crypto/pkcs12/p12_kiss.c
++++ b/crypto/pkcs12/p12_kiss.c
+@@ -237,11 +237,17 @@ static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen,
+     ASN1_BMPSTRING *fname = NULL;
+     ASN1_OCTET_STRING *lkid = NULL;
+ 
+-    if ((attrib = PKCS12_get_attr(bag, NID_friendlyName)))
++    if ((attrib = PKCS12_get_attr(bag, NID_friendlyName))) {
++        if (attrib->type != V_ASN1_BMPSTRING)
++            return 0;
+         fname = attrib->value.bmpstring;
++    }
+ 
+-    if ((attrib = PKCS12_get_attr(bag, NID_localKeyID)))
++    if ((attrib = PKCS12_get_attr(bag, NID_localKeyID))) {
++        if (attrib->type != V_ASN1_OCTET_STRING)
++            return 0;
+         lkid = attrib->value.octet_string;
++    }
+ 
+     switch (M_PKCS12_bag_type(bag)) {
+     case NID_keyBag:
+diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c
+index 6a46368..1a39531 100644
+--- a/crypto/pkcs7/pk7_doit.c
++++ b/crypto/pkcs7/pk7_doit.c
+@@ -1204,6 +1204,8 @@ ASN1_OCTET_STRING *PKCS7_digest_from_attributes(STACK_OF(X509_ATTRIBUTE) *sk)
+     ASN1_TYPE *astype;
+     if (!(astype = get_attribute(sk, NID_pkcs9_messageDigest)))
+         return NULL;
++    if (astype->type != V_ASN1_OCTET_STRING)
++        return NULL;
+     return astype->value.octet_string;
+ }
+ 
diff --git a/compat-openssl10.spec b/compat-openssl10.spec
index 4837e24fd2a0be024e23e8acce8be5d2744afaa1..f00f6044ce242d1d277ed99be2770d2a2083c327 100644
--- a/compat-openssl10.spec
+++ b/compat-openssl10.spec
@@ -12,7 +12,7 @@
 Summary: Compatibility version of the OpenSSL library
 Name: compat-openssl10
 Version: 1.0.2o
-Release: 3%{?dist}
+Release: 4%{?dist}
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
 # The original openssl upstream tarball cannot be shipped in the .src.rpm.
@@ -85,6 +85,9 @@ Patch83: openssl-1.0.2o-cve-2022-0778.patch
 Patch84: openssl-1.0.2o-update-expired-certificates.patch
 Patch85: openssl-1.0.2-cve-2023-0286-X400.patch
 Patch86: openssl-1.0.2-CVE-2025-9230.patch
+Patch087: openssl-1.0.2o-CVE-2025-69421.patch
+Patch088: openssl-1.0.2o-CVE-2025-68160.patch
+Patch089: compat-openssl10-1.0.2o-CVE-2026-22796.patch
 
 License: OpenSSL
 Group: System Environment/Libraries
@@ -105,7 +108,7 @@ and is provided for compatibility with previous releases and software
 that does not support compilation with OpenSSL-1.1.
 
 %prep
-%autosetup -n openssl-%{version} -N
+%autosetup -p1 -n openssl-%{version} -N
 
 # The hobble_openssl is called here redundantly, just to be sure.
 # The tarball has already the sources removed.
@@ -168,6 +171,9 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/
 %patch83 -p1 -b .cve-2022-0778
 %patch84 -p1 -b .update-expired-certificates
 %patch85 -p1 -b .cve-2023-0286
+%patch087 -p1 -b .cve-2025-69421
+%patch088 -p1 -b .cve-2025-68160
+%patch089 -p1 -b .cve-2026-22796
 
 sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h
 
@@ -346,6 +352,10 @@ install -m 644 apps/openssl10.cnf $RPM_BUILD_ROOT%{_sysconfdir}/pki/openssl10.cn
 %postun -p /sbin/ldconfig
 
 %changelog
+* Mon Mar 16 2026 PkgAgent Robot <pkgagent@opencloudos.tech> - 1.0.2o-4
+- [Type] security
+- [DESC] Fix CVE-2025-69421, CVE-2025-68160, CVE-2026-22796
+
 * Tue Oct 28 2025 wynnfeng <wynnfeng@tencent.com> - 1.0.2o-3
 - fix CVE-2025-9230
 
diff --git a/openssl-1.0.2o-CVE-2025-68160.patch b/openssl-1.0.2o-CVE-2025-68160.patch
new file mode 100644
index 0000000000000000000000000000000000000000..711fc60dd4ebe25d429097d6f462569c1df8664f
--- /dev/null
+++ b/openssl-1.0.2o-CVE-2025-68160.patch
@@ -0,0 +1,78 @@
+From 475c466ef2fbd8fc1df6fae1c3eed9c813fc8ff6 Mon Sep 17 00:00:00 2001
+From: Neil Horman <nhorman@openssl.org>
+Date: Wed, 7 Jan 2026 11:52:09 -0500
+Subject: [PATCH] Fix heap buffer overflow in BIO_f_linebuffer
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When a FIO_f_linebuffer is part of a bio chain, and the next BIO
+preforms short writes, the remainder of the unwritten buffer is copied
+unconditionally to the internal buffer ctx->obuf, which may not be
+sufficiently sized to handle the remaining data, resulting in a buffer
+overflow.
+
+Fix it by only copying data when ctx->obuf has space, flushing to the
+next BIO to increase available storage if needed.
+
+Fixes openssl/srt#48
+
+Fixes CVE-2025-68160
+
+Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
+Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
+Reviewed-by: Saša Nedvědický <sashan@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+MergeDate: Mon Jan 26 19:41:40 2026
+(cherry picked from commit b21663c35a6f0ed4c8de06855bdc7a6a21f00c2f)
+
+
+---
+ crypto/bio/bf_lbuf.c |   32 ++++++++++++++++++++++++++------
+ 1 file changed, 26 insertions(+), 6 deletions(-)
+
+diff --git a/crypto/bio/bf_lbuf.c b/crypto/bio/bf_lbuf.c
+index 46d0d5a..b5aebb6 100644
+--- a/crypto/bio/bf_lbuf.c
++++ b/crypto/bio/bf_lbuf.c
+@@ -252,14 +252,34 @@ static int linebuffer_write(BIO *b, const char *in, int inl)
+     while (foundnl && inl > 0);
+     /*
+      * We've written as much as we can.  The rest of the input buffer, if
+-     * any, is text that doesn't and with a NL and therefore needs to be
+-     * saved for the next trip.
++     * any, is text that doesn't end with a NL and therefore we need to try
++     * free up some space in our obuf so we can make forward progress.
+      */
+-    if (inl > 0) {
+-        memcpy(&(ctx->obuf[ctx->obuf_len]), in, inl);
+-        ctx->obuf_len += inl;
+-        num += inl;
++    while (inl > 0) {
++        size_t avail = (size_t)ctx->obuf_size - (size_t)ctx->obuf_len;
++        size_t to_copy;
++
++        if (avail == 0) {
++            /* Flush buffered data to make room */
++            i = BIO_write(b->next_bio, ctx->obuf, ctx->obuf_len);
++            if (i <= 0) {
++                BIO_copy_next_retry(b);
++                return num > 0 ? num : i;
++            }
++            if (i < ctx->obuf_len)
++                memmove(ctx->obuf, ctx->obuf + i, ctx->obuf_len - i);
++            ctx->obuf_len -= i;
++            continue;
++        }
++
++        to_copy = inl > (int)avail ? avail : (size_t)inl;
++        memcpy(&(ctx->obuf[ctx->obuf_len]), in, to_copy);
++        ctx->obuf_len += (int)to_copy;
++        in += to_copy;
++        inl -= (int)to_copy;
++        num += (int)to_copy;
+     }
++
+     return num;
+ }
+ 
diff --git a/openssl-1.0.2o-CVE-2025-69421.patch b/openssl-1.0.2o-CVE-2025-69421.patch
new file mode 100644
index 0000000000000000000000000000000000000000..62bf24e4c5ef92378065679089c3d0adf9575100
--- /dev/null
+++ b/openssl-1.0.2o-CVE-2025-69421.patch
@@ -0,0 +1,39 @@
+From 36ecb4960872a4ce04bf6f1e1f4e78d75ec0c0c7 Mon Sep 17 00:00:00 2001
+From: Andrew Dinh <andrewd@openssl.org>
+Date: Thu, 8 Jan 2026 01:24:30 +0900
+Subject: [PATCH] PKCS12_item_decrypt_d2i_ex(): Check oct argument for NULL
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes CVE-2025-69421
+
+Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
+Reviewed-by: Saša Nedvědický <sashan@openssl.org>
+Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+MergeDate: Mon Jan 26 19:56:08 2026
+(cherry picked from commit 2c13bf15286328641a805eb3b7c97e27d42881fb)
+
+Adapted-by: PkgAgent (modified to adapt to opencloudos-stream)
+
+---
+ crypto/pkcs12/p12_decr.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/crypto/pkcs12/p12_decr.c b/crypto/pkcs12/p12_decr.c
+index b40ea10..10fe9eb 100644
+--- a/crypto/pkcs12/p12_decr.c
++++ b/crypto/pkcs12/p12_decr.c
+@@ -133,6 +133,11 @@ void *PKCS12_item_decrypt_d2i(X509_ALGOR *algor, const ASN1_ITEM *it,
+     void *ret;
+     int outlen;
+ 
++    if (oct == NULL) {
++        PKCS12err(PKCS12_F_PKCS12_ITEM_DECRYPT_D2I, ERR_R_PASSED_NULL_PARAMETER);
++        return NULL;
++    }
++
+     if (!PKCS12_pbe_crypt(algor, pass, passlen, oct->data, oct->length,
+                           &out, &outlen, 0)) {
+         PKCS12err(PKCS12_F_PKCS12_ITEM_DECRYPT_D2I,