diff --git a/security/libssh/Makefile b/security/libssh/Makefile
index 10ebb693d642..3da478bcaef1 100644
--- a/security/libssh/Makefile
+++ b/security/libssh/Makefile
@@ -1,78 +1,81 @@
 PORTNAME=	libssh
 PORTVERSION=	0.12.0
 PORTREVISION=	1
 CATEGORIES=	security devel
 MASTER_SITES=	https://www.libssh.org/files/${PORTVERSION:R}/ \
 		https://ftp.openbsd.org/pub/OpenBSD/distfiles/
 
 MAINTAINER=	sunpoet@FreeBSD.org
 COMMENT=	Library implementing the SSH2 protocol
 WWW=		https://www.libssh.org/ \
 		https://gitlab.com/libssh/libssh-mirror
 
 LICENSE=	LGPL21
 LICENSE_FILE=	${WRKSRC}/COPYING
 
-BROKEN_FreeBSD_15=	src/mlkem_crypto.c:31:10: fatal error: 'openssl/ml_kem.h' file not found
-BROKEN_FreeBSD_16=	src/mlkem_crypto.c:31:10: fatal error: 'openssl/ml_kem.h' file not found
-
 TEST_DEPENDS=	cmocka>=0:sysutils/cmocka
 
 USES=		cmake:testing cpe tar:xz
 
 CMAKE_ARGS=	-DCMAKE_CTEST_ARGUMENTS="-E;'torture_config|torture_misc'" \
 		-DGLOBAL_BIND_CONFIG=${PREFIX}/etc/ssh/libssh_server_config \
 		-DGLOBAL_CLIENT_CONFIG=${PREFIX}/etc/ssh/ssh_config
 CMAKE_OFF=	CLIENT_TESTING \
 		CMAKE_DISABLE_FIND_PACKAGE_Doxygen \
 		FUZZ_TESTING \
 		GSSAPI_TESTING \
 		PICKY_DEVELOPER \
 		SERVER_TESTING \
 		UNIT_TESTING \
 		WITH_ABI_BREAK \
 		WITH_BENCHMARKS \
 		WITH_BLOWFISH_CIPHER \
 		WITH_COVERAGE \
 		WITH_DEBUG_CALLTRACE \
 		WITH_DEBUG_CRYPTO \
 		WITH_DEBUG_PACKET \
 		WITH_EXAMPLES \
 		WITH_INSECURE_NONE \
 		WITH_INTERNAL_DOC \
 		WITH_MBEDTLS \
 		WITH_NACL \
 		WITH_PKCS11_PROVIDER \
 		WITH_PKCS11_URI
 CMAKE_ON=	BUILD_SHARED_LIBS \
 		WITH_EXEC \
 		WITH_GEX \
 		WITH_PCAP \
 		WITH_SERVER \
 		WITH_SFTP \
 		WITH_SYMBOL_VERSIONING \
 		WITH_ZLIB
 CMAKE_TESTING_ON=	UNIT_TESTING
 USE_LDCONFIG=	yes
 
 OPTIONS_DEFINE=	OPENSSL STATIC
 OPTIONS_SINGLE=	GSSAPI
 OPTIONS_SINGLE_GSSAPI=	GSSAPI_BASE GSSAPI_HEIMDAL GSSAPI_MIT GSSAPI_NONE
 OPTIONS_DEFAULT=GSSAPI_BASE OPENSSL STATIC
 OPTIONS_SUB=	yes
 
 GSSAPI_BASE_CMAKE_ON=	-DKRB5_CONFIG=${KRB5CONFIG} -DWITH_GSSAPI=ON
 GSSAPI_BASE_USES=	gssapi:base,flags
 GSSAPI_HEIMDAL_CMAKE_ON=-DKRB5_CONFIG=${KRB5CONFIG} -DWITH_GSSAPI=ON
 GSSAPI_HEIMDAL_USES=	gssapi:heimdal,flags
 GSSAPI_MIT_CMAKE_ON=	-DKRB5_CONFIG=${KRB5CONFIG} -DWITH_GSSAPI=ON
 GSSAPI_MIT_USES=	gssapi:mit,flags
 GSSAPI_NONE_CMAKE_BOOL_OFF=	WITH_GSSAPI
 OPENSSL_CMAKE_BOOL_OFF=	CMAKE_DISABLE_FIND_PACKAGE_OpenSSL
 OPENSSL_USES=		ssl
 STATIC_CMAKE_BOOL=	BUILD_STATIC_LIB
 
+.include <bsd.port.options.mk>
+
+.if ${PORT_OPTIONS:MOPENSSL} && ${SSL_DEFAULT} == base && !exists(/usr/include/openssl/ml_kem.h)
+EXTRA_PATCHES+=	${PATCHDIR}/extra-patch-mlkem
+.endif
+
 post-install-STATIC-on:
 	${INSTALL_DATA} ${INSTALL_WRKSRC}/src/libssh.a ${STAGEDIR}${PREFIX}/lib/
 
 .include <bsd.port.mk>
diff --git a/security/libssh/files/extra-patch-mlkem b/security/libssh/files/extra-patch-mlkem
new file mode 100644
index 000000000000..cc530f2e900a
--- /dev/null
+++ b/security/libssh/files/extra-patch-mlkem
@@ -0,0 +1,11 @@
+--- ConfigureChecks.cmake.orig	2026-02-10 09:36:24 UTC
++++ ConfigureChecks.cmake
+@@ -106,8 +106,6 @@ if (OPENSSL_FOUND)
+ 
+     # Check for ML-KEM availability (OpenSSL 3.5+)
+     if (OPENSSL_VERSION VERSION_GREATER_EQUAL "3.5.0")
+-        set(HAVE_OPENSSL_MLKEM 1)
+-        set(HAVE_MLKEM1024 1)
+     endif ()
+ 
+     unset(CMAKE_REQUIRED_INCLUDES)