diff --git a/.gitignore b/.gitignore
index 4ac3d75..64b2e6f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,6 +1,6 @@
 SOURCES/centossecureboot201.cer
 SOURCES/centossecurebootca2.cer
-SOURCES/linux-4.18.0-553.64.1.rt7.405.el8_10.tar.xz
+SOURCES/linux-4.18.0-553.66.1.rt7.407.el8_10.tar.xz
 SOURCES/redhatsecureboot302.cer
 SOURCES/redhatsecureboot303.cer
 SOURCES/redhatsecureboot501.cer
diff --git a/.kernel-rt.metadata b/.kernel-rt.metadata
index 053d858..dd1049a 100644
--- a/.kernel-rt.metadata
+++ b/.kernel-rt.metadata
@@ -1,6 +1,6 @@
 2ba40bf9138b48311e5aa1b737b7f0a8ad66066f SOURCES/centossecureboot201.cer
 bfdb3d7cffc43f579655af5155d50c08671d95e5 SOURCES/centossecurebootca2.cer
-2d6ad5b823c4b3d5eb8efcd9f2d873c51b2e0d9c SOURCES/linux-4.18.0-553.64.1.rt7.405.el8_10.tar.xz
+32b95e268820cffa02a368cd6c5026451945b4bb SOURCES/linux-4.18.0-553.66.1.rt7.407.el8_10.tar.xz
 13e5cd3f856b472fde80a4deb75f4c18dfb5b255 SOURCES/redhatsecureboot302.cer
 e89890ca0ded2f9058651cc5fa838b78db2e6cc2 SOURCES/redhatsecureboot303.cer
 ba0b760e594ff668ee72ae348adf3e49b97f75fb SOURCES/redhatsecureboot501.cer
diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec
index f6f4e6f..eccc80f 100644
--- a/SPECS/kernel.spec
+++ b/SPECS/kernel.spec
@@ -38,10 +38,10 @@
 # define buildid .local
 
 %define specversion 4.18.0
-%define pkgrelease 553.64.1.rt7.405.el8_10
+%define pkgrelease 553.66.1.rt7.407.el8_10
 
 # allow pkg_release to have configurable %%{?dist} tag
-%define specrelease 553.64.1.rt7.405%{?dist}
+%define specrelease 553.66.1.rt7.407%{?dist}
 
 %define pkg_release %{specrelease}%{?buildid}
 
@@ -148,7 +148,7 @@
 # The preempt RT patch level
 %global rttag .rt7
 # realtimeN
-%global rtbuild .405
+%global rtbuild .407
 %define with_doc 0
 %define with_headers 0
 %define with_cross_headers 0
@@ -2720,7 +2720,7 @@ fi
 #
 #
 %changelog
-* Mon Jul 28 2025 Andrei Lukoshko <alukoshko@almalinux.org> - 4.18.0-553.64.1.rt7.405
+* Wed Aug 06 2025 Andrei Lukoshko <alukoshko@almalinux.org> - 4.18.0-553.66.1.rt7.407
 - hpsa: bring back deprecated PCI ids #CFHack #CFHack2024
 - mptsas: bring back deprecated PCI ids #CFHack #CFHack2024
 - megaraid_sas: bring back deprecated PCI ids #CFHack #CFHack2024
@@ -2731,10 +2731,33 @@ fi
 - kernel/rh_messages.h: enable all disabled pci devices by moving to
   unmaintained
 
-* Mon Jul 28 2025 Eduard Abdullin <eabdullin@almalinux.org> - 4.18.0-553.64.1.rt7.405
+* Wed Aug 06 2025 Eduard Abdullin <eabdullin@almalinux.org> - 4.18.0-553.66.1.rt7.407
 - Use AlmaLinux OS secure boot cert
 - Debrand for AlmaLinux OS
 
+* Mon Jul 28 2025 Denys Vlasenko <dvlasenk@redhat.com> [4.18.0-553.66.1.rt7.407.el8_10]
+- [rt] build kernel-rt-4.18.0-553.66.1.rt7.407.el8_10
+- net_sched: hfsc: Address reentrant enqueue adding class to eltree twice (Xin Long) [RHEL-105415] {CVE-2025-38001}
+- sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue() (Xin Long) [RHEL-105415] {CVE-2025-38000}
+- net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc (CKI Backport Bot) [RHEL-105415] {CVE-2025-37890}
+- sch_hfsc: make hfsc_qlen_notify() idempotent (Xin Long) [RHEL-105415]
+- crypto: algif_hash - fix double free in hash_accept (CKI Backport Bot) [RHEL-102223] {CVE-2025-38079}
+- Revert "smb: client: fix TCP timers deadlock after rmmod" (Paulo Alcantara) [RHEL-100698] {CVE-2025-22077}
+- Revert "smb: client: Fix netns refcount imbalance causing leaks and use-after-free" (Paulo Alcantara) [RHEL-100698]
+- smb: client: Fix netns refcount imbalance causing leaks and use-after-free (Paulo Alcantara) [RHEL-100698]
+- smb: client: fix TCP timers deadlock after rmmod (Paulo Alcantara) [RHEL-100698] {CVE-2024-54680}
+- smb: client: Fix use-after-free of network namespace. (Paulo Alcantara) [RHEL-100698] {CVE-2024-53095}
+- smb: client: fix warning in generic_ip_connect() (Paulo Alcantara) [RHEL-100698]
+- net: tipc: fix refcount warning in tipc_aead_encrypt (Xin Long) [RHEL-103079]
+- net/tipc: fix slab-use-after-free Read in tipc_aead_encrypt_done (CKI Backport Bot) [RHEL-103079] {CVE-2025-38052}
+- memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove (CKI Backport Bot) [RHEL-99013] {CVE-2025-22020}
+- HID: intel-ish-hid: Fix use-after-free issue in ishtp_hid_remove() (CKI Backport Bot) [RHEL-98837] {CVE-2025-21928}
+
+* Thu Jul 24 2025 Denys Vlasenko <dvlasenk@redhat.com> [4.18.0-553.65.1.rt7.406.el8_10]
+- [rt] build kernel-rt-4.18.0-553.65.1.rt7.406.el8_10
+- x86/alternatives: avoid mapping FIX_TEXT_POKE1 page when it is not required (Rafael Aquini) [RHEL-95422]
+- ext4: avoid resizing to a partial cluster size (CKI Backport Bot) [RHEL-101423] {CVE-2022-50020}
+
 * Wed Jul 23 2025 Denys Vlasenko <dvlasenk@redhat.com> [4.18.0-553.64.1.rt7.405.el8_10]
 - [rt] build kernel-rt-4.18.0-553.64.1.rt7.405.el8_10
 - sched/fair: Fix potential memory corruption in child_cfs_rq_on_list (CKI Backport Bot) [RHEL-100387] {CVE-2025-21919}