diff --git a/nix/patches/qtbase-wayland-screen-uaf.patch b/nix/patches/qtbase-wayland-screen-uaf.patch
index 1c4808b..616611e 100644
--- a/nix/patches/qtbase-wayland-screen-uaf.patch
+++ b/nix/patches/qtbase-wayland-screen-uaf.patch
@@ -91,7 +91,7 @@ index 29952886..88b57945 100644
      QWaylandIntegration *mWaylandIntegration = nullptr;
  #if QT_CONFIG(cursor)
 diff --git a/src/plugins/platforms/wayland/qwaylandsurface.cpp b/src/plugins/platforms/wayland/qwaylandsurface.cpp
-index 274fdda8..fd098066 100644
+index 274fdda8..a881b9d1 100644
 --- a/src/plugins/platforms/wayland/qwaylandsurface.cpp
 +++ b/src/plugins/platforms/wayland/qwaylandsurface.cpp
 @@ -13,18 +13,31 @@ namespace QtWaylandClient {
@@ -126,6 +126,32 @@ index 274fdda8..fd098066 100644
      for (auto *screen : std::as_const(m_screens)) {
          // only report valid screens
          // we can have some ouptuts waiting for xdg output information
+@@ -60,6 +73,14 @@ void QWaylandSurface::surface_enter(wl_output *output)
+     if (!addedScreen)
+         return;
+ 
++    // The wl_output proxy argument was resolved at demarshal time (when the
++    // event was read from the socket). If a preceding event in the same
++    // dispatch batch destroyed the proxy, fromWlOutput may return a stale
++    // QWaylandScreen pointer from freed proxy memory. Validate against the
++    // display's live screen lists before using.
++    if (m_display && !m_display->isScreenAlive(addedScreen))
++        return;
++
+     if (m_screens.contains(addedScreen)) {
+         qCWarning(lcQpaWayland)
+                 << "Ignoring unexpected wl_surface.enter received for output with id:"
+@@ -80,6 +101,10 @@ void QWaylandSurface::surface_leave(wl_output *output)
+     if (!removedScreen)
+         return;
+ 
++    // See comment in surface_enter: the proxy may be stale.
++    if (m_display && !m_display->isScreenAlive(removedScreen))
++        return;
++
+     bool wasRemoved = m_screens.removeOne(removedScreen);
+     if (!wasRemoved) {
+         qCWarning(lcQpaWayland)
 diff --git a/src/plugins/platforms/wayland/qwaylandsurface_p.h b/src/plugins/platforms/wayland/qwaylandsurface_p.h
 index 41860297..ddb63b04 100644
 --- a/src/plugins/platforms/wayland/qwaylandsurface_p.h