diff --git a/backport-set-Do-not-leave-free-d-expr_list-elements-in-place.patch b/backport-set-Do-not-leave-free-d-expr_list-elements-in-place.patch
new file mode 100644
index 0000000..cfa743d
--- /dev/null
+++ b/backport-set-Do-not-leave-free-d-expr_list-elements-in-place.patch
@@ -0,0 +1,69 @@
+From 2d83a7d4f58fbf6eaa9aeace49c78d91a86a3b28 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Wed, 31 May 2023 14:09:09 +0200
+Subject: [PATCH] set: Do not leave free'd expr_list elements in place
+
+When freeing elements, remove them also to prevent a potential UAF.
+
+Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1685
+Fixes: 3469f09286cee ("src: add NFTNL_SET_EXPRESSIONS")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+---
+ src/set.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/src/set.c b/src/set.c
+index c46f827..719e596 100644
+--- a/src/set.c
++++ b/src/set.c
+@@ -54,8 +54,10 @@ void nftnl_set_free(const struct nftnl_set *s)
+ 	if (s->flags & (1 << NFTNL_SET_USERDATA))
+ 		xfree(s->user.data);
+ 
+-	list_for_each_entry_safe(expr, next, &s->expr_list, head)
++	list_for_each_entry_safe(expr, next, &s->expr_list, head) {
++		list_del(&expr->head);
+ 		nftnl_expr_free(expr);
++	}
+ 
+ 	list_for_each_entry_safe(elem, tmp, &s->element_list, head) {
+ 		list_del(&elem->head);
+@@ -105,8 +107,10 @@ void nftnl_set_unset(struct nftnl_set *s, uint16_t attr)
+ 		break;
+ 	case NFTNL_SET_EXPR:
+ 	case NFTNL_SET_EXPRESSIONS:
+-		list_for_each_entry_safe(expr, tmp, &s->expr_list, head)
++		list_for_each_entry_safe(expr, tmp, &s->expr_list, head) {
++			list_del(&expr->head);
+ 			nftnl_expr_free(expr);
++		}
+ 		break;
+ 	default:
+ 		return;
+@@ -210,8 +214,10 @@ int nftnl_set_set_data(struct nftnl_set *s, uint16_t attr, const void *data,
+ 		s->user.len = data_len;
+ 		break;
+ 	case NFTNL_SET_EXPR:
+-		list_for_each_entry_safe(expr, tmp, &s->expr_list, head)
++		list_for_each_entry_safe(expr, tmp, &s->expr_list, head) {
++			list_del(&expr->head);
+ 			nftnl_expr_free(expr);
++		}
+ 
+ 		expr = (void *)data;
+ 		list_add(&expr->head, &s->expr_list);
+@@ -742,8 +748,10 @@ int nftnl_set_nlmsg_parse(const struct nlmsghdr *nlh, struct nftnl_set *s)
+ 
+ 	return 0;
+ out_set_expr:
+-	list_for_each_entry_safe(expr, next, &s->expr_list, head)
++	list_for_each_entry_safe(expr, next, &s->expr_list, head) {
++		list_del(&expr->head);
+ 		nftnl_expr_free(expr);
++	}
+ 
+ 	return -1;
+ }
+-- 
+2.27.0
+
diff --git a/backport-tests-nft-rule-test-Add-test-cases-to-improve-code-c.patch b/backport-tests-nft-rule-test-Add-test-cases-to-improve-code-c.patch
new file mode 100644
index 0000000..cdf5219
--- /dev/null
+++ b/backport-tests-nft-rule-test-Add-test-cases-to-improve-code-c.patch
@@ -0,0 +1,40 @@
+From 53ccf6e7a50d33ec6da5501bf75a1a621459f7aa Mon Sep 17 00:00:00 2001
+From: shixuantong <tongxiaoge1001@126.com>
+Date: Fri, 2 Jun 2023 00:05:37 +0800
+Subject: [PATCH] tests: nft-rule-test: Add test cases to improve code coverage
+
+Signed-off-by: shixuantong <tongxiaoge1001@126.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ tests/nft-rule-test.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/tests/nft-rule-test.c b/tests/nft-rule-test.c
+index 3652bf6..3a92223 100644
+--- a/tests/nft-rule-test.c
++++ b/tests/nft-rule-test.c
+@@ -48,6 +48,12 @@ static void cmp_nftnl_rule(struct nftnl_rule *a, struct nftnl_rule *b)
+ 	if (nftnl_rule_get_u32(a, NFTNL_RULE_COMPAT_FLAGS) !=
+ 	    nftnl_rule_get_u32(b, NFTNL_RULE_COMPAT_FLAGS))
+ 		print_err("Rule compat_flags mismatches");
++	if (nftnl_rule_get_u32(a, NFTNL_RULE_ID) !=
++            nftnl_rule_get_u32(b, NFTNL_RULE_ID))
++                print_err("Rule id mismatches");
++	if (nftnl_rule_get_u32(a, NFTNL_RULE_POSITION_ID) !=
++            nftnl_rule_get_u32(b, NFTNL_RULE_POSITION_ID))
++                print_err("Rule position_id mismatches");
+ 	if (nftnl_rule_get_u64(a, NFTNL_RULE_POSITION) !=
+ 	    nftnl_rule_get_u64(b, NFTNL_RULE_POSITION))
+ 		print_err("Rule compat_position mismatches");
+@@ -84,6 +90,8 @@ int main(int argc, char *argv[])
+ 	nftnl_rule_set_u64(a, NFTNL_RULE_HANDLE, 0x1234567812345678);
+ 	nftnl_rule_set_u32(a, NFTNL_RULE_COMPAT_PROTO, 0x12345678);
+ 	nftnl_rule_set_u32(a, NFTNL_RULE_COMPAT_FLAGS, 0x12345678);
++	nftnl_rule_set_u32(a, NFTNL_RULE_ID, 0x12345678);
++	nftnl_rule_set_u32(a, NFTNL_RULE_POSITION_ID, 0x12345678);
+ 	nftnl_rule_set_u64(a, NFTNL_RULE_POSITION, 0x1234567812345678);
+ 	nftnl_rule_set_data(a, NFTNL_RULE_USERDATA,
+ 			    nftnl_udata_buf_data(udata),
+-- 
+2.27.0
+
diff --git a/libnftnl.spec b/libnftnl.spec
index 76fe85e..8df7380 100644
--- a/libnftnl.spec
+++ b/libnftnl.spec
@@ -1,6 +1,6 @@
 Name: libnftnl
 Version: 1.2.0
-Release: 4
+Release: 5
 Summary: Library for low-level interaction with nftables Netlink's API over libmnl
 License: GPLv2+
 URL: http://netfilter.org/projects/libnftnl/
@@ -9,6 +9,8 @@ Source0: http://netfilter.org/projects/libnftnl/files/%{name}-%{version}.tar.bz2
 Patch6000:     backport-rule-set_elem-fix-printing-of-user-data.patch
 Patch6001:     backport-rule-set_elem-remove-trailing-n-in-userdata-snprintf.patch
 Patch6002:     backport-libnftnl-Fix-res_id-byte-order.patch
+Patch6003:     backport-set-Do-not-leave-free-d-expr_list-elements-in-place.patch
+Patch6004:     backport-tests-nft-rule-test-Add-test-cases-to-improve-code-c.patch
 
 BuildRequires: libmnl-devel jansson-devel gcc
 
@@ -55,6 +57,9 @@ make %{?_smp_mflags} check
 %{_includedir}/libnftnl
 
 %changelog
+* Mon Jun 05 2023 shixuantong <shixuantong1@huawei.com> - 1.2.0-5
+- Do not leave free'd expr_list elements in place and add test cases
+
 * Mon May 29 2023 shixuantong <shixuantong1@huawei.com> - 1.2.0-4
 - Fix res_id byte order