new file mode 100644
@@ -0,0 +1,49 @@
+From a4d9d540103ff9a262e304329c277ec89b27e5f9 Mon Sep 17 00:00:00 2001
+From: itchyny <itchyny@cybozu.co.jp>
+Date: Mon, 15 Sep 2025 07:47:51 +0900
+Subject: [PATCH] Fix expected value assertion for NaN value (fix #3393)
+ (#3408)
+
+CVE: CVE-2025-9403
+
+Upstream-Status: Backport [https://github.com/jqlang/jq/commit/a4d9d540103ff9a262e304329c277ec89b27e5f9]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ src/jq_test.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/src/jq_test.c b/src/jq_test.c
+index 3945686..f42b05c 100644
+--- a/src/jq_test.c
++++ b/src/jq_test.c
+@@ -2,6 +2,7 @@
+ #include <stdio.h>
+ #include <string.h>
+ #include <stdlib.h>
++#include <math.h>
+ #ifdef HAVE_PTHREAD
+ #include <pthread.h>
+ #endif
+@@ -208,11 +209,13 @@ static void run_jq_tests(jv lib_dirs, int verbose, FILE *testdata, int skip, int
+ printf(" for test at line number %u: %s\n", lineno, prog);
+ pass = 0;
+ }
+- jv as_string = jv_dump_string(jv_copy(expected), rand() & ~(JV_PRINT_COLOR|JV_PRINT_REFCOUNT));
+- jv reparsed = jv_parse_sized(jv_string_value(as_string), jv_string_length_bytes(jv_copy(as_string)));
+- assert(jv_equal(jv_copy(expected), jv_copy(reparsed)));
+- jv_free(as_string);
+- jv_free(reparsed);
++ if (!(jv_get_kind(expected) == JV_KIND_NUMBER && isnan(jv_number_value(expected)))) {
++ jv as_string = jv_dump_string(jv_copy(expected), rand() & ~(JV_PRINT_COLOR|JV_PRINT_REFCOUNT));
++ jv reparsed = jv_parse_sized(jv_string_value(as_string), jv_string_length_bytes(jv_copy(as_string)));
++ assert(jv_equal(jv_copy(expected), jv_copy(reparsed)));
++ jv_free(as_string);
++ jv_free(reparsed);
++ }
+ jv_free(expected);
+ jv_free(actual);
+ }
+--
+2.40.0
+
@@ -14,6 +14,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/${BPN}-${PV}/${BPN}-${PV}.tar.gz \
file://CVE-2024-23337.patch \
file://CVE-2024-53427.patch \
file://CVE-2025-48060.patch \
+ file://CVE-2025-9403.patch \
"
SRC_URI[sha256sum] = "478c9ca129fd2e3443fe27314b455e211e0d8c60bc8ff7df703873deeee580c2"