diff --git a/builder/install/40-grpc.sh b/builder/install/40-grpc.sh
index 5fafa37108..7306e9ebf1 100755
--- a/builder/install/40-grpc.sh
+++ b/builder/install/40-grpc.sh
@@ -2,11 +2,19 @@
 
 set -e
 
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
 export CXXFLAGS="-Wno-error=class-memaccess -Wno-ignored-qualifiers -Wno-stringop-truncation -Wno-cast-function-type -Wno-attributes"
 
 cd third_party/grpc
 
 cp NOTICE.txt "${LICENSE_DIR}/grpc-${GRPC_REVISION}"
+
+# ROX-33133: Remove hardcoded P-256 curve from gRPC (OpenSSL 3.x only) to allow
+# OpenSSL to use system crypto-policies defaults, enabling post-quantum key
+# exchange (ML-KEM). See: https://github.com/grpc/grpc/issues/23083
+patch -p1 < "${SCRIPT_DIR}/grpc-pq-curves.patch"
+
 mkdir -p cmake/build
 cd cmake/build
 cmake \
diff --git a/builder/install/grpc-pq-curves.patch b/builder/install/grpc-pq-curves.patch
new file mode 100644
index 0000000000..dad5784699
--- /dev/null
+++ b/builder/install/grpc-pq-curves.patch
@@ -0,0 +1,15 @@
+--- a/src/core/tsi/ssl_transport_security.cc
++++ b/src/core/tsi/ssl_transport_security.cc
+@@ -819,12 +819,6 @@ static tsi_result populate_ssl_context(
+     }
+     SSL_CTX_set_options(context, SSL_OP_SINGLE_ECDH_USE);
+     EC_KEY_free(ecdh);
+-#else
+-    if (!SSL_CTX_set1_groups(context, kSslEcCurveNames, 1)) {
+-      LOG(ERROR) << "Could not set ephemeral ECDH key.";
+-      return TSI_INTERNAL_ERROR;
+-    }
+-    SSL_CTX_set_options(context, SSL_OP_SINGLE_ECDH_USE);
+ #endif
+   }
+   return TSI_OK;