diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0010-network-netdev-also-check-ifindex-iftype-and-kind-wh.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0010-network-netdev-also-check-ifindex-iftype-and-kind-wh.patch
new file mode 100644
index 0000000000..bcdf2a3f75
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0010-network-netdev-also-check-ifindex-iftype-and-kind-wh.patch
@@ -0,0 +1,119 @@
+From 7136aa7db4423432392a0fe6055c48a922a4aad4 Mon Sep 17 00:00:00 2001
+From: Yu Watanabe <watanabe.yu+github@gmail.com>
+Date: Tue, 10 Sep 2024 00:12:41 +0900
+Subject: [PATCH] network/netdev: also check ifindex, iftype, and kind when
+ assigning NetDev to Link
+
+Even when a NetDev object with the same name found, its iftype or kind
+may be different. For safety, let's also check them.
+
+(cherry picked from commit 1788c3462853e8bb955ff656007e20f402dd9af2)
+
+Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
+---
+ src/network/netdev/netdev.c | 37 +++++++++++++++++++++++++++++++++++++
+ src/network/netdev/netdev.h |  1 +
+ src/network/networkd-link.c | 10 ++--------
+ 3 files changed, 40 insertions(+), 8 deletions(-)
+
+diff --git a/src/network/netdev/netdev.c b/src/network/netdev/netdev.c
+index 2b411425ba..9a528137ea 100644
+--- a/src/network/netdev/netdev.c
++++ b/src/network/netdev/netdev.c
+@@ -265,6 +265,43 @@ int netdev_get(Manager *manager, const char *name, NetDev **ret) {
+         return 0;
+ }
+ 
++void link_assign_netdev(Link *link) {
++        _unused_ _cleanup_(netdev_unrefp) NetDev *old = NULL;
++        NetDev *netdev;
++
++        assert(link);
++        assert(link->manager);
++        assert(link->ifname);
++
++        old = TAKE_PTR(link->netdev);
++
++        if (netdev_get(link->manager, link->ifname, &netdev) < 0)
++                return;
++
++        if (netdev->ifindex != link->ifindex)
++                return;
++
++        if (NETDEV_VTABLE(netdev)->iftype != link->iftype)
++                return;
++
++        if (!NETDEV_VTABLE(netdev)->skip_netdev_kind_check) {
++                const char *kind;
++
++                if (netdev->kind == NETDEV_KIND_TAP)
++                        kind = "tun"; /* the kernel does not distinguish between tun and tap */
++                else
++                        kind = netdev_kind_to_string(netdev->kind);
++
++                if (!streq_ptr(kind, link->kind))
++                        return;
++        }
++
++        link->netdev = netdev_ref(netdev);
++
++        if (netdev != old)
++                log_link_debug(link, "Found matching .netdev file: %s", netdev->filename);
++}
++
+ void netdev_enter_failed(NetDev *netdev) {
+         netdev->state = NETDEV_STATE_FAILED;
+ }
+diff --git a/src/network/netdev/netdev.h b/src/network/netdev/netdev.h
+index cb8cc8c6a9..1a03a9b592 100644
+--- a/src/network/netdev/netdev.h
++++ b/src/network/netdev/netdev.h
+@@ -206,6 +206,7 @@ DEFINE_TRIVIAL_CLEANUP_FUNC(NetDev*, netdev_unref);
+ 
+ bool netdev_is_managed(NetDev *netdev);
+ int netdev_get(Manager *manager, const char *name, NetDev **ret);
++void link_assign_netdev(Link *link);
+ int netdev_set_ifindex(NetDev *netdev, sd_netlink_message *newlink);
+ int netdev_generate_hw_addr(NetDev *netdev, Link *link, const char *name,
+                             const struct hw_addr_data *hw_addr, struct hw_addr_data *ret);
+diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c
+index 8f21504d92..c3a5dc1f0d 100644
+--- a/src/network/networkd-link.c
++++ b/src/network/networkd-link.c
+@@ -1317,7 +1317,6 @@ static int link_get_network(Link *link, Network **ret) {
+ 
+ int link_reconfigure_impl(Link *link, bool force) {
+         Network *network = NULL;
+-        NetDev *netdev = NULL;
+         int r;
+ 
+         assert(link);
+@@ -1326,13 +1325,11 @@ int link_reconfigure_impl(Link *link, bool force) {
+         if (link->manager->state != MANAGER_RUNNING)
+                 return 0;
+ 
++        link_assign_netdev(link);
++
+         if (IN_SET(link->state, LINK_STATE_PENDING, LINK_STATE_LINGER))
+                 return 0;
+ 
+-        r = netdev_get(link->manager, link->ifname, &netdev);
+-        if (r < 0 && r != -ENOENT)
+-                return r;
+-
+         r = link_get_network(link, &network);
+         if (r < 0 && r != -ENOENT)
+                 return r;
+@@ -1397,9 +1394,6 @@ int link_reconfigure_impl(Link *link, bool force) {
+         link_free_engines(link);
+         link->network = network_unref(link->network);
+ 
+-        netdev_unref(link->netdev);
+-        link->netdev = netdev_ref(netdev);
+-
+         if (!network) {
+                 link_set_state(link, LINK_STATE_UNMANAGED);
+                 return 0;
+-- 
+2.39.5
+
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0011-network-also-check-ID_NET_MANAGED_BY-property-on-rec.patch b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0011-network-also-check-ID_NET_MANAGED_BY-property-on-rec.patch
new file mode 100644
index 0000000000..3ab34f08b6
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/files/0011-network-also-check-ID_NET_MANAGED_BY-property-on-rec.patch
@@ -0,0 +1,146 @@
+From 916523aabc7fcb3b5b9362100a5e3417aae00cb2 Mon Sep 17 00:00:00 2001
+From: Yu Watanabe <watanabe.yu+github@gmail.com>
+Date: Wed, 11 Jun 2025 18:05:46 +0900
+Subject: [PATCH] network: also check ID_NET_MANAGED_BY property on
+ reconfigure
+
+Previously, the property was checked only when an uevent is received,
+so even if an interface has ID_NET_MANAGED_BY property, the interface
+will be configured by networkd when reconfiguration is triggered e.g.
+when interface state is changed.
+
+Follow-up for ba87a61d05d637be9f0b21707f7fe3b0a74c5a05.
+Fixes #36997.
+
+(cherry picked from commit 78f8d5ed71ecc16ad36d1c215d2d57433d127679)
+
+Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
+---
+ src/network/networkd-link.c                   | 44 ++++++++++++++-----
+ .../test-network/conf/11-dummy-unmanaged.link |  8 ++++
+ test/test-network/systemd-networkd-tests.py   | 11 +++++
+ 3 files changed, 53 insertions(+), 10 deletions(-)
+ create mode 100644 test/test-network/conf/11-dummy-unmanaged.link
+
+diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c
+index c3a5dc1f0d..3ed1584807 100644
+--- a/src/network/networkd-link.c
++++ b/src/network/networkd-link.c
+@@ -1315,6 +1315,32 @@ static int link_get_network(Link *link, Network **ret) {
+         return -ENOENT;
+ }
+ 
++static int link_managed_by_us(Link *link) {
++        int r;
++
++        assert(link);
++
++        if (!link->dev)
++                return true;
++
++        const char *s;
++        r = sd_device_get_property_value(link->dev, "ID_NET_MANAGED_BY", &s);
++        if (r == -ENOENT)
++                return true;
++        if (r < 0)
++                return log_link_warning_errno(link, r, "Failed to get ID_NET_MANAGED_BY udev property: %m");
++
++        if (streq(s, "io.systemd.Network"))
++                return true;
++
++        if (link->state == LINK_STATE_UNMANAGED)
++                return false; /* Already in unmanaged state */
++
++        log_link_debug(link, "Interface is requested to be managed by '%s', unmanaging the interface.", s);
++        link_set_state(link, LINK_STATE_UNMANAGED);
++        return false;
++}
++
+ int link_reconfigure_impl(Link *link, bool force) {
+         Network *network = NULL;
+         int r;
+@@ -1330,6 +1356,10 @@ int link_reconfigure_impl(Link *link, bool force) {
+         if (IN_SET(link->state, LINK_STATE_PENDING, LINK_STATE_LINGER))
+                 return 0;
+ 
++        r = link_managed_by_us(link);
++        if (r <= 0)
++                return r;
++
+         r = link_get_network(link, &network);
+         if (r < 0 && r != -ENOENT)
+                 return r;
+@@ -1584,6 +1614,10 @@ static int link_initialized(Link *link, sd_device *device) {
+          * or sysattrs) may be outdated. */
+         device_unref_and_replace(link->dev, device);
+ 
++        r = link_managed_by_us(link);
++        if (r <= 0)
++                return r;
++
+         if (link->dhcp_client) {
+                 r = sd_dhcp_client_attach_device(link->dhcp_client, link->dev);
+                 if (r < 0)
+@@ -1651,7 +1685,6 @@ static int link_check_initialized(Link *link) {
+ 
+ int manager_udev_process_link(Manager *m, sd_device *device, sd_device_action_t action) {
+         int r, ifindex;
+-        const char *s;
+         Link *link;
+ 
+         assert(m);
+@@ -1686,15 +1719,6 @@ int manager_udev_process_link(Manager *m, sd_device *device, sd_device_action_t
+                 return 0;
+         }
+ 
+-        r = sd_device_get_property_value(device, "ID_NET_MANAGED_BY", &s);
+-        if (r < 0 && r != -ENOENT)
+-                log_device_debug_errno(device, r, "Failed to get ID_NET_MANAGED_BY udev property, ignoring: %m");
+-        if (r >= 0 && !streq(s, "io.systemd.Network")) {
+-                log_device_debug(device, "Interface is requested to be managed by '%s', not managing the interface.", s);
+-                link_set_state(link, LINK_STATE_UNMANAGED);
+-                return 0;
+-        }
+-
+         r = link_initialized(link, device);
+         if (r < 0)
+                 link_enter_failed(link);
+diff --git a/test/test-network/conf/11-dummy-unmanaged.link b/test/test-network/conf/11-dummy-unmanaged.link
+new file mode 100644
+index 0000000000..99c07a72ce
+--- /dev/null
++++ b/test/test-network/conf/11-dummy-unmanaged.link
+@@ -0,0 +1,8 @@
++# SPDX-License-Identifier: MIT-0
++[Match]
++Kind=dummy
++OriginalName=test1
++
++[Link]
++NamePolicy=keep
++Property=ID_NET_MANAGED_BY=hoge
+diff --git a/test/test-network/systemd-networkd-tests.py b/test/test-network/systemd-networkd-tests.py
+index d8acf538f0..391d219de8 100755
+--- a/test/test-network/systemd-networkd-tests.py
++++ b/test/test-network/systemd-networkd-tests.py
+@@ -2735,6 +2735,17 @@ class NetworkdNetworkTests(unittest.TestCase, Utilities):
+     def tearDown(self):
+         tear_down_common()
+ 
++    def test_ID_NET_MANAGED_BY(self):
++        copy_network_unit('11-dummy.netdev', '11-dummy-unmanaged.link', '11-dummy.network')
++        start_networkd()
++        self.wait_online('test1:off', setup_state='unmanaged')
++
++        check_output('ip link set dev test1 up')
++        self.wait_online('test1:degraded', setup_state='unmanaged')
++
++        check_output('ip link set dev test1 down')
++        self.wait_online('test1:off', setup_state='unmanaged')
++
+     def verify_address_static(
+             self,
+             label1: str,
+-- 
+2.39.5
+
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-256.9.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-256.9-r1.ebuild
similarity index 99%
rename from sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-256.9.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-256.9-r1.ebuild
index 92489ad0a1..ed6aaf1aaa 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-256.9.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/systemd/systemd-256.9-r1.ebuild
@@ -266,6 +266,8 @@ src_prepare() {
 		"${FILESDIR}/0006-Revert-getty-Pass-tty-to-use-by-agetty-via-stdin.patch"
 		"${FILESDIR}/0007-units-Keep-using-old-journal-file-format.patch"
 		"${FILESDIR}/0009-initrd-parse-etc.service.patch"
+		"${FILESDIR}/0010-network-netdev-also-check-ifindex-iftype-and-kind-wh.patch"
+		"${FILESDIR}/0011-network-also-check-ID_NET_MANAGED_BY-property-on-rec.patch"
 	)
 
 	if ! use vanilla; then