diff --git a/debian/changelog b/debian/changelog
index b7d000ff..5d3eac09 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+libvirt (10.7.0+really9.10.0-1deepin17) unstable; urgency=medium
+
+  * Fix CVE-2025-13193: set proper umask for external snapshot images to
+    prevent world-readable file creation (information disclosure
+    vulnerability).
+
+ -- deepin-ci-robot <packages@deepin.org>  Wed, 27 May 2026 01:47:54 +0800
+
 libvirt (10.7.0+really9.10.0-1deepin16) unstable; urgency=medium
 
   * Enable ACPI by default for LoongArch virt machines
diff --git a/debian/patches/backport/CVE-2025-13193-set-umask-for-external-snapshots.patch b/debian/patches/backport/CVE-2025-13193-set-umask-for-external-snapshots.patch
new file mode 100644
index 00000000..cf122fa7
--- /dev/null
+++ b/debian/patches/backport/CVE-2025-13193-set-umask-for-external-snapshots.patch
@@ -0,0 +1,12 @@
+--- a/src/qemu/qemu_snapshot.c
++++ b/src/qemu/qemu_snapshot.c
+@@ -233,6 +233,9 @@
+                                          NULL)))
+             return -1;
+ 
++        /* ensure that new files are only readable by the user */
++        virCommandSetUmask(cmd, 0077);
++
+         /* adds cmd line arg: backing_fmt=format,backing_file=/path/to/backing/file */
+         virBufferAsprintf(&buf, "backing_fmt=%s,backing_file=",
+                           virStorageFileFormatTypeToString(defdisk->src->format));
diff --git a/debian/patches/series b/debian/patches/series
index 96228038..072465a1 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -15,3 +15,4 @@ fix-firmware-descriptor-parsing.patch
 add-loongarch64-arch-support.patch
 fix-virtio-iommu-test-expected-output.patch
 enable-acpi-for-loongarch-virt.patch
+backport/CVE-2025-13193-set-umask-for-external-snapshots.patch