diff --git a/scripts/contrib/improve_kernel_cve_report.py b/scripts/contrib/improve_kernel_cve_report.py
index 5c39df05a5..3a15b1ed26 100755
--- a/scripts/contrib/improve_kernel_cve_report.py
+++ b/scripts/contrib/improve_kernel_cve_report.py
@@ -236,6 +236,26 @@ def read_spdx3(spdx):
             cfiles.add(filename)
     return cfiles
 
+def read_debugsources(file_path):
+    '''
+    Read zstd file from pkgdata to extract sources
+    '''
+    import zstandard as zstd
+    import itertools
+    # Decompress the .zst file
+    cfiles = set()
+    with open(file_path, 'rb') as fh:
+        dctx = zstd.ZstdDecompressor()
+        with dctx.stream_reader(fh) as reader:
+            decompressed_bytes = reader.read()
+            json_data = json.loads(decompressed_bytes)
+            # We need to remove one level from the debug sources
+            for source_list in json_data.values():
+                for source in source_list:
+                    src = source.split("/",1)[1]
+                    cfiles.add(src)
+    return cfiles
+
 def check_kernel_compiled_files(compiled_files, cve_info):
     """
     Return if a CVE affected us depending on compiled files
@@ -372,6 +392,10 @@ def main():
         "--spdx",
         help="SPDX2/3 for the kernel. Needs to include compiled sources",
     )
+    parser.add_argument(
+        "--debug-sources-file",
+        help="Debug sources zstd file generated from Yocto",
+    )
     parser.add_argument(
         "--datadir",
         type=pathlib.Path,
@@ -415,6 +439,9 @@ def main():
     if args.spdx:
         compiled_files = read_spdx(args.spdx)
         logging.info("Total compiled files %d", len(compiled_files))
+    if args.debug_sources_file:
+        compiled_files = read_debugsources(args.debug_sources_file)
+        logging.info("Total compiled files %d", len(compiled_files))
 
     if args.old_cve_report:
         with open(args.old_cve_report, encoding='ISO-8859-1') as f: