diff --git a/nixos/modules/services/cluster/kubernetes/kubelet.nix b/nixos/modules/services/cluster/kubernetes/kubelet.nix
index aa759e20f49fc..ca7b524081f63 100644
--- a/nixos/modules/services/cluster/kubernetes/kubelet.nix
+++ b/nixos/modules/services/cluster/kubernetes/kubelet.nix
@@ -336,7 +336,10 @@ in
           [
             gitMinimal
             openssh
-            util-linux
+            # TODO (#409339): remove this patch. We had to add it to avoid a mass rebuild
+            # for the 25.05 release. Once the staging cycle referenced in the above PR completes,
+            # switch back to plain util-linux.
+            util-linux.withPatches
             iproute2
             ethtool
             thin-provisioning-tools
diff --git a/pkgs/applications/networking/cluster/k3s/builder.nix b/pkgs/applications/networking/cluster/k3s/builder.nix
index 8cbb824230f01..e2662f9894524 100644
--- a/pkgs/applications/networking/cluster/k3s/builder.nix
+++ b/pkgs/applications/networking/cluster/k3s/builder.nix
@@ -333,16 +333,10 @@ let
     }).overrideAttrs
       overrideContainerdAttrs;
 
-  # TODO (#405952): remove this patch. We had to add it to avoid a mass rebuild
-  # for the 25.05 release. Once the above PR is merged, switch back to plain util-linuxMinimal.
-  k3sUtilLinux = util-linuxMinimal.overrideAttrs (prev: {
-    patches =
-      prev.patches or [ ]
-      ++ lib.singleton (fetchpatch {
-        url = "https://github.com/util-linux/util-linux/commit/7dbfe31a83f45d5aef2b508697e9511c569ffbc8.patch";
-        hash = "sha256-bJqpZiPli5Pm/XpDA445Ab5jesXrlcnaO6e4V0B3rSw=";
-      });
-  });
+  # TODO (#409339): remove this patch. We had to add it to avoid a mass rebuild
+  # for the 25.05 release. Once the staging cycle referenced in the above PR completes,
+  # switch back to plain util-linuxMinimal.
+  k3sUtilLinux = util-linuxMinimal.withPatches;
 in
 buildGoModule rec {
   pname = "k3s";
diff --git a/pkgs/by-name/ut/util-linux/fix-mount-regression.patch b/pkgs/by-name/ut/util-linux/fix-mount-regression.patch
new file mode 100644
index 0000000000000..973ba7493e7d9
--- /dev/null
+++ b/pkgs/by-name/ut/util-linux/fix-mount-regression.patch
@@ -0,0 +1,39 @@
+From 7dbfe31a83f45d5aef2b508697e9511c569ffbc8 Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Mon, 24 Mar 2025 14:31:05 +0100
+Subject: [PATCH] libmount: fix --no-canonicalize regression
+
+Fixes: https://github.com/util-linux/util-linux/issues/3474
+Signed-off-by: Karel Zak <kzak@redhat.com>
+---
+ libmount/src/context.c | 3 ---
+ sys-utils/mount.8.adoc | 2 +-
+ 2 files changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/libmount/src/context.c b/libmount/src/context.c
+index 0323cb23d34..15a8ad3bbd0 100644
+--- a/libmount/src/context.c
++++ b/libmount/src/context.c
+@@ -530,9 +530,6 @@ int mnt_context_is_xnocanonicalize(
+ 	assert(cxt);
+ 	assert(type);
+ 
+-	if (mnt_context_is_nocanonicalize(cxt))
+-		return 1;
+-
+ 	ol = mnt_context_get_optlist(cxt);
+ 	if (!ol)
+ 		return 0;
+diff --git a/sys-utils/mount.8.adoc b/sys-utils/mount.8.adoc
+index 4f23f8d1f0e..5103b91c578 100644
+--- a/sys-utils/mount.8.adoc
++++ b/sys-utils/mount.8.adoc
+@@ -756,7 +756,7 @@ Allow to make a target directory (mountpoint) if it does not exist yet. The opti
+ *X-mount.nocanonicalize*[**=**_type_]::
+ Allows disabling of canonicalization for mount source and target paths. By default, the `mount` command resolves all paths to their absolute paths without symlinks. However, this behavior may not be desired in certain situations, such as when binding a mount over a symlink, or a symlink over a directory or another symlink. The optional argument _type_ can be either "source" or "target" (mountpoint). If no _type_ is specified, then canonicalization is disabled for both types. This mount option does not affect the conversion of source tags (e.g. LABEL= or UUID=) and fstab processing.
+ +
+-The command line option *--no-canonicalize* overrides this mount option and affects all path and tag conversions in all situations, but it does not modify flags for open_tree syscalls.
++The command-line option *--no-canonicalize* overrides this mount option and affects all path and tag conversions in all situations, but for backward compatibility, it does not modify open_tree syscall flags and does not allow the bind-mount over a symlink use case.
+ +
+ Note that *mount*(8) still sanitizes and canonicalizes the source and target paths specified on the command line by non-root users, regardless of the X-mount.nocanonicalize setting.
+ 
diff --git a/pkgs/by-name/ut/util-linux/package.nix b/pkgs/by-name/ut/util-linux/package.nix
index eef5a90698c77..66b24424b7eff 100644
--- a/pkgs/by-name/ut/util-linux/package.nix
+++ b/pkgs/by-name/ut/util-linux/package.nix
@@ -34,7 +34,7 @@
 let
   isMinimal = cryptsetupSupport == false && !nlsSupport && !ncursesSupport && !systemdSupport;
 in
-stdenv.mkDerivation rec {
+stdenv.mkDerivation (finalPackage: rec {
   pname = "util-linux" + lib.optionalString isMinimal "-minimal";
   version = "2.41";
 
@@ -200,6 +200,18 @@ stdenv.mkDerivation rec {
     '';
 
   passthru = {
+    # TODO (#409339): Remove this hack. We had to add it to avoid a mass rebuild
+    # for the 25.05 release to fix Kubernetes. Once the staging cycle referenced
+    # in the above PR completes, this passthru and all consumers of it should go away.
+    withPatches = finalPackage.overrideAttrs (prev: {
+      patches = lib.unique (
+        prev.patches or [ ]
+        ++ [
+          ./fix-mount-regression.patch
+        ]
+      );
+    });
+
     updateScript = gitUpdater {
       # No nicer place to find latest release.
       url = "https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git";
@@ -237,4 +249,4 @@ stdenv.mkDerivation rec {
     ];
     priority = 6; # lower priority than coreutils ("kill") and shadow ("login" etc.) packages
   };
-}
+})