diff --git a/security/krb5-122/Makefile b/security/krb5-122/Makefile
index f68506489590..1d79f5620b68 100644
--- a/security/krb5-122/Makefile
+++ b/security/krb5-122/Makefile
@@ -1,154 +1,155 @@
 PORTNAME=		krb5
 PORTVERSION=		1.22
+PORTREVISION=		1
 CATEGORIES=		security
 MASTER_SITES=		http://web.mit.edu/kerberos/dist/${PORTNAME}/${PORTVERSION:C/^[0-9]*\.[0-9]*/&X/:C/X\.[0-9]*$//:C/X//}/
 .if !defined(MASTERDIR)
 PKGNAME_X=		-${FLAVOR:S/default//}-122
 .else
 PKGNAME_X=		-${FLAVOR:S/default//}
 .endif
 PKGNAMESUFFIX=		${PKGNAME_X:S/--/-/:C/-$//}
 
 PATCH_SITES=		http://web.mit.edu/kerberos/advisories/
 PATCH_DIST_STRIP=	-p2
 
 MAINTAINER=		cy@FreeBSD.org
 COMMENT=		MIT implementation of RFC 4120 network authentication service
 WWW=			https://web.mit.edu/kerberos/
 
 LICENSE=		MIT
 
 CONFLICTS=		heimdal krb5 krb5-11* krb5-120
 CONFLICTS_BUILD=	boringssl
 
 KERBEROSV_URL=		http://web.mit.edu/kerberos/
 USES=			autoreconf compiler:c++11-lang cpe gmake gettext-runtime \
 			gssapi:bootstrap,mit libtool:build localbase \
 			perl5 pkgconfig ssl
 USE_CSTD=		gnu99
 USE_LDCONFIG=		yes
 USE_PERL5=		build
 GNU_CONFIGURE=		yes
 CONFIGURE_ARGS?=	--enable-shared --without-system-verto \
 			--disable-rpath
 GNU_CONFIGURE_MANPREFIX=${PREFIX}/share
 CONFIGURE_ENV=		INSTALL="${INSTALL}" INSTALL_LIB="${INSTALL_LIB}" YACC="${YACC}"
 MAKE_ARGS=		INSTALL="${INSTALL}" INSTALL_LIB="${INSTALL_LIB}"
 
 CPE_VENDOR=		mit
 CPE_VERSION=		5-${PORTVERSION}
 CPE_PRODUCT=		kerberos
 
 FLAVORS=		default ldap
 
 OPTIONS_DEFINE=		EXAMPLES NLS DOCS DNS_FOR_REALM LDAP LMDB
 OPTIONS_DEFAULT=	DOCS READLINE
 OPTIONS_RADIO=		CMD_LINE_EDITING
 OPTIONS_RADIO_CMD_LINE_EDITING=	READLINE LIBEDIT LIBEDIT_BASE
 CMD_LINE_EDITING_DESC=	Command line editing for kadmin and ktutil
 DNS_FOR_REALM_DESC=	Enable DNS lookups for Kerberos realm names
 DNS_FOR_REALM_CONFIGURE_ENABLE=	dns-for-realm
 LDAP=			Enable LDAP support
 LDAP_USES=		ldap
 LDAP_CONFIGURE_WITH=	ldap
 LMDB_DESC=		OpenLDAP Lightning Memory-Mapped Database support
 LMDB_CONFIGURE_WITH=	lmdb
 LMDB_LIB_DEPENDS=	liblmdb.so:databases/lmdb
 LMDB_IMPLIES=		LDAP
 NLS_USES=		gettext
 NLS_CONFIGURE_OFF=	--disable-nls
 READLINE_USES=		readline
 READLINE_CONFIGURE_WITH=readline
 LIBEDIT_USES=		libedit
 LIBEDIT_CONFIGURE_WITH=	libedit
 LIBEDIT_BASE_CONFIGURE_WITH=	libedit
 LIBEDIT_BASE_DESC=	Use libedit in FreeBSD base
 
 .if ${FLAVOR:U} == ldap
 OPTIONS_DEFAULT+=	LDAP LMDB
 .endif
 
 .if defined(KRB5_HOME)
 PREFIX=			${KRB5_HOME}
 .endif
 .if !defined(KRB5_LOCALSTATEDIR)
 KRB5_LOCALSTATEDIR=	"${PREFIX}/var"
 .endif
 .if !defined(KRB5_RUNSTATEDIR)
 KRB5_RUNSTATEDIR=	"${PREFIX}/var/run"
 .endif
 CONFIGURE_ARGS+=	--runstatedir="${KRB5_RUNSTATEDIR}"
 CONFIGURE_ARGS+=	--localstatedir="${KRB5_LOCALSTATEDIR}"
 PLIST_SUB+=		KRB5_LOCALSTATEDIR=${KRB5_LOCALSTATEDIR}
 PLIST_SUB+=		KRB5_RUNSTATEDIR=${KRB5_RUNSTATEDIR}
 CPPFLAGS+=		-I${OPENSSLINC}
 LDFLAGS+=		-L${OPENSSLLIB}
 
 USE_RC_SUBR=		kpropd
 OPTIONS_SUB=		yes
 WRKSRC_SUBDIR=		src
 PORTEXAMPLES=		kdc.conf krb5.conf services.append
 
 .include <bsd.port.options.mk>
 
 # Fix up -Wl,-rpath in LDFLAGS
 .if !empty(KRB5_HOME)
 _RPATH=	${KRB5_HOME}/lib:
 .else
 _RPATH=	${LOCALBASE}/lib:
 .endif
 .if !empty(LDFLAGS:M-Wl,-rpath,*)
 .for F in ${LDFLAGS:M-Wl,-rpath,*}
 LDFLAGS:=	-Wl,-rpath,${_RPATH}${F:S/-Wl,-rpath,//} \
 		${LDFLAGS:N-Wl,-rpath,*}
 .endfor
 .endif
 
 .if defined(KRB5_HOME) && ${KRB5_HOME} != ${LOCALBASE}
 BROKEN=			LIB_DEPENDS when using KRB5_HOME is broken
 .endif
 
 .if defined(PROGRAM_TRANSFORM_NAME) && ${PROGRAM_TRANSFORM_NAME} != ""
 CONFIGURE_ARGS+=	--program-transform-name="${PROGRAM_TRANSFORM_NAME}"
 .endif
 
 .include <bsd.port.pre.mk>
 
 post-install-DOCS-on:
 	@${MKDIR} ${STAGEDIR}${PREFIX}/share/doc/krb5
 	cd ${WRKDIR}/${PORTNAME}-${PORTVERSION}; \
 	pdf_files=`${FIND} doc/pdf ! -type d`; \
 	pdf_dirs=`${FIND} doc/pdf -type d`; \
 	for i in $${pdf_dirs}; do \
 		${MKDIR} ${STAGEDIR}${PREFIX}/share/doc/krb5/$${i}; \
 	done; \
 	for i in $${pdf_files}; do \
 		${INSTALL_DATA} $${i} ${STAGEDIR}${PREFIX}/share/doc/krb5/$${i}; \
 		${ECHO_CMD} share/doc/krb5/$${i} >> ${TMPPLIST}; \
 	done
 	for i in $${pdf_dirs}; do \
 		${ECHO_CMD} @dir share/doc/krb5/$${i} >> ${TMPPLIST}; \
 	done | ${TAIL} -r >> ${TMPPLIST}
 	cd ${WRKDIR}/${PORTNAME}-${PORTVERSION}; \
 	html_files=`${FIND} doc/html ! -type d | ${GREP} -v /_sources`; \
 	html_dirs=`${FIND} doc/html -type d | ${GREP} -v /_sources`; \
 	for i in $${html_dirs}; do \
 		${MKDIR} ${STAGEDIR}${PREFIX}/share/doc/krb5/$${i}; \
 	done; \
 	for i in $${html_files}; do \
 		${INSTALL_DATA} $${i} ${STAGEDIR}${PREFIX}/share/doc/krb5/$${i}; \
 		${ECHO_CMD} share/doc/krb5/$${i} >> ${TMPPLIST}; \
 	done
 	for i in $${html_dirs}; do \
 		${ECHO_CMD} @dir share/doc/krb5/$${i} >> ${TMPPLIST}; \
 	done | ${TAIL} -r >> ${TMPPLIST}
 	${ECHO_CMD} @dir share/doc/krb5 >> ${TMPPLIST}
 
 post-install-LDAP-on:
 	${MKDIR} ${STAGEDIR}${DATADIR}
 	${INSTALL_DATA} ${WRKSRC}/plugins/kdb/ldap/libkdb_ldap/kerberos.schema \
 		${STAGEDIR}${DATADIR}
 	${INSTALL_DATA} ${WRKSRC}/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif \
 		${STAGEDIR}${DATADIR}
 
 .include <bsd.port.post.mk>
diff --git a/security/krb5-122/files/patch-lib_gssapi_krb5_util__crypt.c b/security/krb5-122/files/patch-lib_gssapi_krb5_util__crypt.c
new file mode 100644
index 000000000000..0a97d39c347a
--- /dev/null
+++ b/security/krb5-122/files/patch-lib_gssapi_krb5_util__crypt.c
@@ -0,0 +1,22 @@
+--- lib/gssapi/krb5/util_crypt.c.orig	2025-08-05 14:15:15 UTC
++++ lib/gssapi/krb5/util_crypt.c
+@@ -322,12 +322,16 @@ kg_verify_checksum_v3(krb5_context context, krb5_key k
+     uint8_t ckhdr[16];
+     krb5_boolean valid;
+ 
+-    /* Compose an RFC 4121 token header with EC and RRC set to 0. */
++    /*
++     * Compose an RFC 4121 token header for the checksum.  For a wrap token,
++     * the EC and RRC fields have the value 0 for the checksum operation,
++     * regardless of their values in the actual token (RFC 4121 section 4.2.4).
++     * For a MIC token, the corresponding four bytes have the value 0xFF.
++     */
+     store_16_be(toktype, ckhdr);
+     ckhdr[2] = flags;
+     ckhdr[3] = 0xFF;
+-    store_16_be(0, ckhdr + 4);
+-    store_16_be(0, ckhdr + 6);
++    store_32_be((toktype == KG2_TOK_MIC_MSG) ? 0xFFFFFFFF : 0, ckhdr + 4);
+     store_64_be(seqnum, ckhdr + 8);
+ 
+     /* Verify the checksum over the data and composed header. */
diff --git a/security/krb5-122/files/patch-lib_gssapi_krb5_verify__mic.c b/security/krb5-122/files/patch-lib_gssapi_krb5_verify__mic.c
new file mode 100644
index 000000000000..7afb9ea4ae34
--- /dev/null
+++ b/security/krb5-122/files/patch-lib_gssapi_krb5_verify__mic.c
@@ -0,0 +1,27 @@
+--- lib/gssapi/krb5/verify_mic.c.orig	2025-08-05 14:15:15 UTC
++++ lib/gssapi/krb5/verify_mic.c
+@@ -90,7 +90,6 @@ verify_mic_v3(krb5_context context, OM_uint32 *minor_s
+               krb5_gss_ctx_id_rec *ctx, struct k5input *in,
+               gss_buffer_t message)
+ {
+-    OM_uint32 status;
+     krb5_keyusage usage;
+     krb5_key key;
+     krb5_cksumtype cksumtype;
+@@ -124,12 +123,10 @@ verify_mic_v3(krb5_context context, OM_uint32 *minor_s
+     }
+     assert(key != NULL);
+ 
+-    status = kg_verify_checksum_v3(context, key, usage, cksumtype,
+-                                   KG2_TOK_MIC_MSG, flags, seqnum,
+-                                   message->value, message->length,
+-                                   in->ptr, in->len);
+-    if (status != GSS_S_COMPLETE)
+-        return status;
++    if (!kg_verify_checksum_v3(context, key, usage, cksumtype, KG2_TOK_MIC_MSG,
++                               flags, seqnum, message->value, message->length,
++                               in->ptr, in->len))
++        return GSS_S_BAD_SIG;
+ 
+     return g_seqstate_check(ctx->seqstate, seqnum);
+ }
diff --git a/security/krb5-122/files/patch-tests_gssapi_t__invalid.c b/security/krb5-122/files/patch-tests_gssapi_t__invalid.c
new file mode 100644
index 000000000000..736d335ea4e3
--- /dev/null
+++ b/security/krb5-122/files/patch-tests_gssapi_t__invalid.c
@@ -0,0 +1,45 @@
+--- tests/gssapi/t_invalid.c.orig	2025-08-05 14:15:15 UTC
++++ tests/gssapi/t_invalid.c
+@@ -397,6 +397,34 @@ test_iov_large_asn1_wrapper(gss_ctx_id_t ctx)
+     free(iov[0].buffer.value);
+ }
+ 
++static void
++test_cfx_verify_mic(gss_ctx_id_t ctx)
++{
++    OM_uint32 major, minor;
++    gss_buffer_desc message, token;
++    uint8_t msg[] = "message";
++    uint8_t mic[] = "\x04\x04\x00\xFF\xFF\xFF\xFF\xFF"
++        "\x00\x00\x00\x00\x00\x00\x00\x00\x97\xE9\x63\x3F\x9D\x82\x2B\x74"
++        "\x67\x94\x8A\xD0";
++    size_t i;
++
++    message.value = msg;
++    message.length = sizeof(msg) - 1;
++    token.value = mic;
++    token.length = sizeof(mic) - 1;
++
++    major = gss_verify_mic(&minor, ctx, &message, &token, NULL);
++    check_gsserr("gss_verify_mic", major, minor);
++
++    for (i = 0; i < token.length; i++) {
++        mic[i]++;
++        major = gss_verify_mic(&minor, ctx, &message, &token, NULL);
++        if (major != GSS_S_DEFECTIVE_TOKEN && major != GSS_S_BAD_SIG)
++            abort();
++        mic[i]--;
++    }
++}
++
+ /* Process wrap and MIC tokens with incomplete headers. */
+ static void
+ test_short_header(gss_ctx_id_t ctx)
+@@ -598,6 +626,7 @@ main(int argc, char **argv)
+     test_cfx_short_plaintext(ctx, cfx_subkey);
+     test_cfx_large_ec(ctx, cfx_subkey);
+     test_iov_large_asn1_wrapper(ctx);
++    test_cfx_verify_mic(ctx);
+     free_fake_context(ctx);
+ 
+     for (i = 0; i < sizeof(tests) / sizeof(*tests); i++) {