diff --git a/security/krb5-122/Makefile b/security/krb5-122/Makefile
index 1d79f5620b68..de7531fc483a 100644
--- a/security/krb5-122/Makefile
+++ b/security/krb5-122/Makefile
@@ -1,155 +1,154 @@
 PORTNAME=		krb5
-PORTVERSION=		1.22
-PORTREVISION=		1
+PORTVERSION=		1.22.1
 CATEGORIES=		security
 MASTER_SITES=		http://web.mit.edu/kerberos/dist/${PORTNAME}/${PORTVERSION:C/^[0-9]*\.[0-9]*/&X/:C/X\.[0-9]*$//:C/X//}/
 .if !defined(MASTERDIR)
 PKGNAME_X=		-${FLAVOR:S/default//}-122
 .else
 PKGNAME_X=		-${FLAVOR:S/default//}
 .endif
 PKGNAMESUFFIX=		${PKGNAME_X:S/--/-/:C/-$//}
 
 PATCH_SITES=		http://web.mit.edu/kerberos/advisories/
 PATCH_DIST_STRIP=	-p2
 
 MAINTAINER=		cy@FreeBSD.org
 COMMENT=		MIT implementation of RFC 4120 network authentication service
 WWW=			https://web.mit.edu/kerberos/
 
 LICENSE=		MIT
 
 CONFLICTS=		heimdal krb5 krb5-11* krb5-120
 CONFLICTS_BUILD=	boringssl
 
 KERBEROSV_URL=		http://web.mit.edu/kerberos/
 USES=			autoreconf compiler:c++11-lang cpe gmake gettext-runtime \
 			gssapi:bootstrap,mit libtool:build localbase \
 			perl5 pkgconfig ssl
 USE_CSTD=		gnu99
 USE_LDCONFIG=		yes
 USE_PERL5=		build
 GNU_CONFIGURE=		yes
 CONFIGURE_ARGS?=	--enable-shared --without-system-verto \
 			--disable-rpath
 GNU_CONFIGURE_MANPREFIX=${PREFIX}/share
 CONFIGURE_ENV=		INSTALL="${INSTALL}" INSTALL_LIB="${INSTALL_LIB}" YACC="${YACC}"
 MAKE_ARGS=		INSTALL="${INSTALL}" INSTALL_LIB="${INSTALL_LIB}"
 
 CPE_VENDOR=		mit
 CPE_VERSION=		5-${PORTVERSION}
 CPE_PRODUCT=		kerberos
 
 FLAVORS=		default ldap
 
 OPTIONS_DEFINE=		EXAMPLES NLS DOCS DNS_FOR_REALM LDAP LMDB
 OPTIONS_DEFAULT=	DOCS READLINE
 OPTIONS_RADIO=		CMD_LINE_EDITING
 OPTIONS_RADIO_CMD_LINE_EDITING=	READLINE LIBEDIT LIBEDIT_BASE
 CMD_LINE_EDITING_DESC=	Command line editing for kadmin and ktutil
 DNS_FOR_REALM_DESC=	Enable DNS lookups for Kerberos realm names
 DNS_FOR_REALM_CONFIGURE_ENABLE=	dns-for-realm
 LDAP=			Enable LDAP support
 LDAP_USES=		ldap
 LDAP_CONFIGURE_WITH=	ldap
 LMDB_DESC=		OpenLDAP Lightning Memory-Mapped Database support
 LMDB_CONFIGURE_WITH=	lmdb
 LMDB_LIB_DEPENDS=	liblmdb.so:databases/lmdb
 LMDB_IMPLIES=		LDAP
 NLS_USES=		gettext
 NLS_CONFIGURE_OFF=	--disable-nls
 READLINE_USES=		readline
 READLINE_CONFIGURE_WITH=readline
 LIBEDIT_USES=		libedit
 LIBEDIT_CONFIGURE_WITH=	libedit
 LIBEDIT_BASE_CONFIGURE_WITH=	libedit
 LIBEDIT_BASE_DESC=	Use libedit in FreeBSD base
 
 .if ${FLAVOR:U} == ldap
 OPTIONS_DEFAULT+=	LDAP LMDB
 .endif
 
 .if defined(KRB5_HOME)
 PREFIX=			${KRB5_HOME}
 .endif
 .if !defined(KRB5_LOCALSTATEDIR)
 KRB5_LOCALSTATEDIR=	"${PREFIX}/var"
 .endif
 .if !defined(KRB5_RUNSTATEDIR)
 KRB5_RUNSTATEDIR=	"${PREFIX}/var/run"
 .endif
 CONFIGURE_ARGS+=	--runstatedir="${KRB5_RUNSTATEDIR}"
 CONFIGURE_ARGS+=	--localstatedir="${KRB5_LOCALSTATEDIR}"
 PLIST_SUB+=		KRB5_LOCALSTATEDIR=${KRB5_LOCALSTATEDIR}
 PLIST_SUB+=		KRB5_RUNSTATEDIR=${KRB5_RUNSTATEDIR}
 CPPFLAGS+=		-I${OPENSSLINC}
 LDFLAGS+=		-L${OPENSSLLIB}
 
 USE_RC_SUBR=		kpropd
 OPTIONS_SUB=		yes
 WRKSRC_SUBDIR=		src
 PORTEXAMPLES=		kdc.conf krb5.conf services.append
 
 .include <bsd.port.options.mk>
 
 # Fix up -Wl,-rpath in LDFLAGS
 .if !empty(KRB5_HOME)
 _RPATH=	${KRB5_HOME}/lib:
 .else
 _RPATH=	${LOCALBASE}/lib:
 .endif
 .if !empty(LDFLAGS:M-Wl,-rpath,*)
 .for F in ${LDFLAGS:M-Wl,-rpath,*}
 LDFLAGS:=	-Wl,-rpath,${_RPATH}${F:S/-Wl,-rpath,//} \
 		${LDFLAGS:N-Wl,-rpath,*}
 .endfor
 .endif
 
 .if defined(KRB5_HOME) && ${KRB5_HOME} != ${LOCALBASE}
 BROKEN=			LIB_DEPENDS when using KRB5_HOME is broken
 .endif
 
 .if defined(PROGRAM_TRANSFORM_NAME) && ${PROGRAM_TRANSFORM_NAME} != ""
 CONFIGURE_ARGS+=	--program-transform-name="${PROGRAM_TRANSFORM_NAME}"
 .endif
 
 .include <bsd.port.pre.mk>
 
 post-install-DOCS-on:
 	@${MKDIR} ${STAGEDIR}${PREFIX}/share/doc/krb5
 	cd ${WRKDIR}/${PORTNAME}-${PORTVERSION}; \
 	pdf_files=`${FIND} doc/pdf ! -type d`; \
 	pdf_dirs=`${FIND} doc/pdf -type d`; \
 	for i in $${pdf_dirs}; do \
 		${MKDIR} ${STAGEDIR}${PREFIX}/share/doc/krb5/$${i}; \
 	done; \
 	for i in $${pdf_files}; do \
 		${INSTALL_DATA} $${i} ${STAGEDIR}${PREFIX}/share/doc/krb5/$${i}; \
 		${ECHO_CMD} share/doc/krb5/$${i} >> ${TMPPLIST}; \
 	done
 	for i in $${pdf_dirs}; do \
 		${ECHO_CMD} @dir share/doc/krb5/$${i} >> ${TMPPLIST}; \
 	done | ${TAIL} -r >> ${TMPPLIST}
 	cd ${WRKDIR}/${PORTNAME}-${PORTVERSION}; \
 	html_files=`${FIND} doc/html ! -type d | ${GREP} -v /_sources`; \
 	html_dirs=`${FIND} doc/html -type d | ${GREP} -v /_sources`; \
 	for i in $${html_dirs}; do \
 		${MKDIR} ${STAGEDIR}${PREFIX}/share/doc/krb5/$${i}; \
 	done; \
 	for i in $${html_files}; do \
 		${INSTALL_DATA} $${i} ${STAGEDIR}${PREFIX}/share/doc/krb5/$${i}; \
 		${ECHO_CMD} share/doc/krb5/$${i} >> ${TMPPLIST}; \
 	done
 	for i in $${html_dirs}; do \
 		${ECHO_CMD} @dir share/doc/krb5/$${i} >> ${TMPPLIST}; \
 	done | ${TAIL} -r >> ${TMPPLIST}
 	${ECHO_CMD} @dir share/doc/krb5 >> ${TMPPLIST}
 
 post-install-LDAP-on:
 	${MKDIR} ${STAGEDIR}${DATADIR}
 	${INSTALL_DATA} ${WRKSRC}/plugins/kdb/ldap/libkdb_ldap/kerberos.schema \
 		${STAGEDIR}${DATADIR}
 	${INSTALL_DATA} ${WRKSRC}/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif \
 		${STAGEDIR}${DATADIR}
 
 .include <bsd.port.post.mk>
diff --git a/security/krb5-122/distinfo b/security/krb5-122/distinfo
index fba29315a391..63cbfb3d57cb 100644
--- a/security/krb5-122/distinfo
+++ b/security/krb5-122/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1754462805
-SHA256 (krb5-1.22.tar.gz) = 652be617b4647f3c5dcac21547d47c7097101aad4e306f1778fb48e17b220ba3
-SIZE (krb5-1.22.tar.gz) = 8749616
+TIMESTAMP = 1755752451
+SHA256 (krb5-1.22.1.tar.gz) = 1a8832b8cad923ebbf1394f67e2efcf41e3a49f460285a66e35adec8fa0053af
+SIZE (krb5-1.22.1.tar.gz) = 8747101
diff --git a/security/krb5-122/files/patch-lib_gssapi_krb5_util__crypt.c b/security/krb5-122/files/patch-lib_gssapi_krb5_util__crypt.c
deleted file mode 100644
index 0a97d39c347a..000000000000
--- a/security/krb5-122/files/patch-lib_gssapi_krb5_util__crypt.c
+++ /dev/null
@@ -1,22 +0,0 @@
---- lib/gssapi/krb5/util_crypt.c.orig	2025-08-05 14:15:15 UTC
-+++ lib/gssapi/krb5/util_crypt.c
-@@ -322,12 +322,16 @@ kg_verify_checksum_v3(krb5_context context, krb5_key k
-     uint8_t ckhdr[16];
-     krb5_boolean valid;
- 
--    /* Compose an RFC 4121 token header with EC and RRC set to 0. */
-+    /*
-+     * Compose an RFC 4121 token header for the checksum.  For a wrap token,
-+     * the EC and RRC fields have the value 0 for the checksum operation,
-+     * regardless of their values in the actual token (RFC 4121 section 4.2.4).
-+     * For a MIC token, the corresponding four bytes have the value 0xFF.
-+     */
-     store_16_be(toktype, ckhdr);
-     ckhdr[2] = flags;
-     ckhdr[3] = 0xFF;
--    store_16_be(0, ckhdr + 4);
--    store_16_be(0, ckhdr + 6);
-+    store_32_be((toktype == KG2_TOK_MIC_MSG) ? 0xFFFFFFFF : 0, ckhdr + 4);
-     store_64_be(seqnum, ckhdr + 8);
- 
-     /* Verify the checksum over the data and composed header. */
diff --git a/security/krb5-122/files/patch-lib_gssapi_krb5_verify__mic.c b/security/krb5-122/files/patch-lib_gssapi_krb5_verify__mic.c
deleted file mode 100644
index 7afb9ea4ae34..000000000000
--- a/security/krb5-122/files/patch-lib_gssapi_krb5_verify__mic.c
+++ /dev/null
@@ -1,27 +0,0 @@
---- lib/gssapi/krb5/verify_mic.c.orig	2025-08-05 14:15:15 UTC
-+++ lib/gssapi/krb5/verify_mic.c
-@@ -90,7 +90,6 @@ verify_mic_v3(krb5_context context, OM_uint32 *minor_s
-               krb5_gss_ctx_id_rec *ctx, struct k5input *in,
-               gss_buffer_t message)
- {
--    OM_uint32 status;
-     krb5_keyusage usage;
-     krb5_key key;
-     krb5_cksumtype cksumtype;
-@@ -124,12 +123,10 @@ verify_mic_v3(krb5_context context, OM_uint32 *minor_s
-     }
-     assert(key != NULL);
- 
--    status = kg_verify_checksum_v3(context, key, usage, cksumtype,
--                                   KG2_TOK_MIC_MSG, flags, seqnum,
--                                   message->value, message->length,
--                                   in->ptr, in->len);
--    if (status != GSS_S_COMPLETE)
--        return status;
-+    if (!kg_verify_checksum_v3(context, key, usage, cksumtype, KG2_TOK_MIC_MSG,
-+                               flags, seqnum, message->value, message->length,
-+                               in->ptr, in->len))
-+        return GSS_S_BAD_SIG;
- 
-     return g_seqstate_check(ctx->seqstate, seqnum);
- }
diff --git a/security/krb5-122/files/patch-tests_gssapi_t__invalid.c b/security/krb5-122/files/patch-tests_gssapi_t__invalid.c
deleted file mode 100644
index 736d335ea4e3..000000000000
--- a/security/krb5-122/files/patch-tests_gssapi_t__invalid.c
+++ /dev/null
@@ -1,45 +0,0 @@
---- tests/gssapi/t_invalid.c.orig	2025-08-05 14:15:15 UTC
-+++ tests/gssapi/t_invalid.c
-@@ -397,6 +397,34 @@ test_iov_large_asn1_wrapper(gss_ctx_id_t ctx)
-     free(iov[0].buffer.value);
- }
- 
-+static void
-+test_cfx_verify_mic(gss_ctx_id_t ctx)
-+{
-+    OM_uint32 major, minor;
-+    gss_buffer_desc message, token;
-+    uint8_t msg[] = "message";
-+    uint8_t mic[] = "\x04\x04\x00\xFF\xFF\xFF\xFF\xFF"
-+        "\x00\x00\x00\x00\x00\x00\x00\x00\x97\xE9\x63\x3F\x9D\x82\x2B\x74"
-+        "\x67\x94\x8A\xD0";
-+    size_t i;
-+
-+    message.value = msg;
-+    message.length = sizeof(msg) - 1;
-+    token.value = mic;
-+    token.length = sizeof(mic) - 1;
-+
-+    major = gss_verify_mic(&minor, ctx, &message, &token, NULL);
-+    check_gsserr("gss_verify_mic", major, minor);
-+
-+    for (i = 0; i < token.length; i++) {
-+        mic[i]++;
-+        major = gss_verify_mic(&minor, ctx, &message, &token, NULL);
-+        if (major != GSS_S_DEFECTIVE_TOKEN && major != GSS_S_BAD_SIG)
-+            abort();
-+        mic[i]--;
-+    }
-+}
-+
- /* Process wrap and MIC tokens with incomplete headers. */
- static void
- test_short_header(gss_ctx_id_t ctx)
-@@ -598,6 +626,7 @@ main(int argc, char **argv)
-     test_cfx_short_plaintext(ctx, cfx_subkey);
-     test_cfx_large_ec(ctx, cfx_subkey);
-     test_iov_large_asn1_wrapper(ctx);
-+    test_cfx_verify_mic(ctx);
-     free_fake_context(ctx);
- 
-     for (i = 0; i < sizeof(tests) / sizeof(*tests); i++) {