diff --git a/SPECS/keda/CVE-2026-26958.patch b/SPECS/keda/CVE-2026-26958.patch
new file mode 100644
index 00000000000..925f6ef356c
--- /dev/null
+++ b/SPECS/keda/CVE-2026-26958.patch
@@ -0,0 +1,41 @@
+From fa8223239724e073f01a203dbd7e090d499b901b Mon Sep 17 00:00:00 2001
+From: Filippo Valsorda <hi@filippo.io>
+Date: Sun, 15 Feb 2026 22:00:22 +0100
+Subject: [PATCH] extra: initialize receiver in MultiScalarMult
+
+(*Point).MultiScalarMult failed to initialize its receiver.
+
+If the method is called on an initialized point that is not the identity
+point, MultiScalarMult produces an incorrect result.
+
+If the method is called on an uninitialized point, the behavior is
+undefined. In particular, if the receiver is the zero value,
+MultiScalarMult returns an invalid point that compares Equal to every
+point.
+
+This was independently reported by @WeebDataHoarder and @shaharcohen1.
+
+Fixes CVE-2026-26958
+Fixes GHSA-fw7p-63qq-7hpr
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/FiloSottile/edwards25519/commit/d1c650afb95fad0742b98d95f2eb2cf031393abb.patch
+---
+ vendor/filippo.io/edwards25519/extra.go | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/vendor/filippo.io/edwards25519/extra.go b/vendor/filippo.io/edwards25519/extra.go
+index d152d68f..ab2e44a5 100644
+--- a/vendor/filippo.io/edwards25519/extra.go
++++ b/vendor/filippo.io/edwards25519/extra.go
+@@ -265,6 +265,7 @@ func (v *Point) MultiScalarMult(scalars []*Scalar, points []*Point) *Point {
+ 	tmp1 := &projP1xP1{}
+ 	tmp2 := &projP2{}
+ 	// Lookup-and-add the appropriate multiple of each input point
++	v.Set(NewIdentityPoint())
+ 	for j := range tables {
+ 		tables[j].SelectInto(multiple, digits[j][63])
+ 		tmp1.Add(v, multiple) // tmp1 = v + x_(j,63)*Q in P1xP1 coords
+-- 
+2.45.4
+
diff --git a/SPECS/keda/keda.spec b/SPECS/keda/keda.spec
index b121fdff1d5..5313d30097b 100644
--- a/SPECS/keda/keda.spec
+++ b/SPECS/keda/keda.spec
@@ -1,7 +1,7 @@
 Summary:        Kubernetes-based Event Driven Autoscaling
 Name:           keda
 Version:        2.14.1
-Release:        11%{?dist}
+Release:        12%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -38,6 +38,7 @@ Patch12:        CVE-2025-11065.patch
 Patch13:        CVE-2025-47911.patch
 Patch14:        CVE-2025-58190.patch
 Patch15:        CVE-2026-2303.patch
+Patch16:        CVE-2026-26958.patch
 BuildRequires:  golang >= 1.15
 
 %description
@@ -73,6 +74,9 @@ cp ./bin/keda-admission-webhooks %{buildroot}%{_bindir}
 %{_bindir}/%{name}-admission-webhooks
 
 %changelog
+* Mon Mar 02 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.14.1-12
+- Patch for CVE-2026-26958
+
 * Thu Feb 19 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.14.1-11
 - Patch for CVE-2026-2303, CVE-2025-58190, CVE-2025-47911