diff --git a/meta-oniro-staging/recipes-support/nss/nss/CVE-2020-12403.patch b/meta-oniro-staging/recipes-support/nss/nss/CVE-2020-12403.patch
new file mode 100644
index 0000000000000000000000000000000000000000..3ed8faf5288ed49ef8c65b9f63ed59ef4e7b83da
--- /dev/null
+++ b/meta-oniro-staging/recipes-support/nss/nss/CVE-2020-12403.patch
@@ -0,0 +1,68 @@
+From c6c2243be1a1359b4f22ffa51a90e84dc43b98d0 Mon Sep 17 00:00:00 2001
+From: Marta Rybczynska <marta.rybczynska@huawei.com>
+Date: Wed, 3 Nov 2021 12:12:37 +0100
+Subject: [PATCH] nss: fix CVE-2020-12403
+
+# HG changeset patch
+# User Benjamin Beurdouche <bbeurdouche@mozilla.com>
+# Date 1595031218 0
+# Node ID c25adfdfab34ddb08d3262aac3242e3399de1095
+# Parent  f282556e6cc7715f5754aeaadda6f902590e7e38
+Bug 1636771 - Fix incorrect call to Chacha20Poly1305 by PKCS11. r=jcj,kjacobs,rrelyea
+
+Differential Revision: https://phabricator.services.mozilla.com/D74801
+
+Upstream-Status: Backport
+
+CVE: CVE-2020-12403
+
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ .../pk11_gtest/pk11_chacha20poly1305_unittest.cc      | 11 +++++++++--
+ nss/lib/freebl/chacha20poly1305.c                     |  2 +-
+ 2 files changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/nss/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc b/nss/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc
+index 2663441..a461977 100644
+--- a/nss/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc
++++ b/nss/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc
+@@ -44,7 +44,7 @@ class Pkcs11ChaCha20Poly1305Test
+     SECItem params = {siBuffer, reinterpret_cast<unsigned char*>(&aead_params),
+                       sizeof(aead_params)};
+ 
+-    // Encrypt with bad parameters.
++    // Encrypt with bad parameters (TagLen is too long).
+     unsigned int encrypted_len = 0;
+     std::vector<uint8_t> encrypted(data_len + aead_params.ulTagLen);
+     aead_params.ulTagLen = 158072;
+@@ -53,9 +53,16 @@ class Pkcs11ChaCha20Poly1305Test
+                      &encrypted_len, encrypted.size(), data, data_len);
+     EXPECT_EQ(SECFailure, rv);
+     EXPECT_EQ(0U, encrypted_len);
+-    aead_params.ulTagLen = 16;
++
++    // Encrypt with bad parameters (TagLen is too short).
++    aead_params.ulTagLen = 2;
++    rv = PK11_Encrypt(key.get(), kMech, &params, encrypted.data(),
++                      &encrypted_len, encrypted.size(), data, data_len);
++    EXPECT_EQ(SECFailure, rv);
++    EXPECT_EQ(0U, encrypted_len);
+ 
+     // Encrypt.
++    aead_params.ulTagLen = 16;
+     rv = PK11_Encrypt(key.get(), kMech, &params, encrypted.data(),
+                       &encrypted_len, encrypted.size(), data, data_len);
+ 
+diff --git a/nss/lib/freebl/chacha20poly1305.c b/nss/lib/freebl/chacha20poly1305.c
+index 4daba2a..9d94f59 100644
+--- a/nss/lib/freebl/chacha20poly1305.c
++++ b/nss/lib/freebl/chacha20poly1305.c
+@@ -60,7 +60,7 @@ ChaCha20Poly1305_InitContext(ChaCha20Poly1305Context *ctx,
+         PORT_SetError(SEC_ERROR_BAD_KEY);
+         return SECFailure;
+     }
+-    if (tagLen == 0 || tagLen > 16) {
++    if (tagLen != 16) {
+         PORT_SetError(SEC_ERROR_INPUT_LEN);
+         return SECFailure;
+     }
diff --git a/meta-oniro-staging/recipes-support/nss/nss/CVE-2020-12403_2.patch b/meta-oniro-staging/recipes-support/nss/nss/CVE-2020-12403_2.patch
new file mode 100644
index 0000000000000000000000000000000000000000..18b1e58bf5cdbd3b446b67e93c0b7d4614d567a0
--- /dev/null
+++ b/meta-oniro-staging/recipes-support/nss/nss/CVE-2020-12403_2.patch
@@ -0,0 +1,96 @@
+From 930bc9c5b0f9e6ed8dc9f9cd237eede41591a64e Mon Sep 17 00:00:00 2001
+From: Marta Rybczynska <marta.rybczynska@huawei.com>
+Date: Wed, 3 Nov 2021 12:21:44 +0100
+Subject: [PATCH] nss: followup CVE-2020-12403
+
+# HG changeset patch
+# User Benjamin Beurdouche <bbeurdouche@mozilla.com>
+# Date 1595031194 0
+# Node ID f282556e6cc7715f5754aeaadda6f902590e7e38
+# Parent  89733253df83ef7fe8dd0d49f6370b857e93d325
+Bug 1636771 - Disable PKCS11 incremental mode for ChaCha20. r=kjacobs,rrelyea
+
+Depends on D74801
+
+Differential Revision: https://phabricator.services.mozilla.com/D83994
+
+Upstream-Status: Backport
+
+CVE: CVE-2020-12403
+
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ .../pk11_gtest/pk11_cipherop_unittest.cc      | 49 +++++++++++++++++++
+ nss/lib/softoken/pkcs11c.c                    |  1 +
+ 2 files changed, 50 insertions(+)
+
+diff --git a/nss/gtests/pk11_gtest/pk11_cipherop_unittest.cc b/nss/gtests/pk11_gtest/pk11_cipherop_unittest.cc
+index 38982fd..700750c 100644
+--- a/nss/gtests/pk11_gtest/pk11_cipherop_unittest.cc
++++ b/nss/gtests/pk11_gtest/pk11_cipherop_unittest.cc
+@@ -77,4 +77,53 @@ TEST(Pkcs11CipherOp, SingleCtxMultipleUnalignedCipherOps) {
+   NSS_ShutdownContext(globalctx);
+ }
+ 
++TEST(Pkcs11CipherOp, SingleCtxMultipleUnalignedCipherOpsChaCha20) {
++  PK11SlotInfo* slot;
++  PK11SymKey* key;
++  PK11Context* ctx;
++
++  NSSInitContext* globalctx =
++      NSS_InitContext("", "", "", "", NULL,
++                      NSS_INIT_READONLY | NSS_INIT_NOCERTDB | NSS_INIT_NOMODDB |
++                          NSS_INIT_FORCEOPEN | NSS_INIT_NOROOTINIT);
++
++  const CK_MECHANISM_TYPE cipher = CKM_NSS_CHACHA20_CTR;
++
++  slot = PK11_GetInternalSlot();
++  ASSERT_TRUE(slot);
++
++  // Use arbitrary bytes for the ChaCha20 key and IV
++  uint8_t key_bytes[32];
++  for (size_t i = 0; i < 32; i++) {
++    key_bytes[i] = i;
++  }
++  SECItem keyItem = {siBuffer, key_bytes, 32};
++
++  uint8_t iv_bytes[16];
++  for (size_t i = 0; i < 16; i++) {
++    key_bytes[i] = i;
++  }
++  SECItem ivItem = {siBuffer, iv_bytes, 16};
++
++  SECItem* param = PK11_ParamFromIV(cipher, &ivItem);
++
++  key = PK11_ImportSymKey(slot, cipher, PK11_OriginUnwrap, CKA_ENCRYPT,
++                          &keyItem, NULL);
++  ctx = PK11_CreateContextBySymKey(cipher, CKA_ENCRYPT, key, param);
++  ASSERT_TRUE(key);
++  ASSERT_TRUE(ctx);
++
++  uint8_t outbuf[128];
++  // This is supposed to fail for Chacha20. This is because the underlying
++  // PK11_CipherOp operation is calling the C_EncryptUpdate function for
++  // which multi-part is disabled for ChaCha20 in counter mode.
++  ASSERT_EQ(GetBytes(ctx, outbuf, 7), SECFailure);
++
++  PK11_FreeSymKey(key);
++  PK11_FreeSlot(slot);
++  SECITEM_FreeItem(param, PR_TRUE);
++  PK11_DestroyContext(ctx, PR_TRUE);
++  NSS_ShutdownContext(globalctx);
++}
++
+ }  // namespace nss_test
+diff --git a/nss/lib/softoken/pkcs11c.c b/nss/lib/softoken/pkcs11c.c
+index 6f3c2aa..53ec5f4 100644
+--- a/nss/lib/softoken/pkcs11c.c
++++ b/nss/lib/softoken/pkcs11c.c
+@@ -1205,6 +1205,7 @@ sftk_CryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+             break;
+ 
+         case CKM_NSS_CHACHA20_CTR:
++            context->multi = PR_FALSE;
+             if (key_type != CKK_NSS_CHACHA20) {
+                 crv = CKR_KEY_TYPE_INCONSISTENT;
+                 break;
diff --git a/meta-oniro-staging/recipes-support/nss/nss_3.51.1.bbappend b/meta-oniro-staging/recipes-support/nss/nss_3.51.1.bbappend
new file mode 100644
index 0000000000000000000000000000000000000000..1d512e790f6f966172337d99c04882038b5c7317
--- /dev/null
+++ b/meta-oniro-staging/recipes-support/nss/nss_3.51.1.bbappend
@@ -0,0 +1,7 @@
+# SPDX-FileCopyrightText: Huawei Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+SRC_URI += "file://CVE-2020-12403.patch file://CVE-2020-12403_2.patch"
+