diff --git a/.gitignore b/.gitignore
index 52962853a..4ce832314 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,6 +1,6 @@
-SOURCES/kernel-abi-stablelists-5.14.0-611.16.1.el9_7.tar.bz2
-SOURCES/kernel-kabi-dw-5.14.0-611.16.1.el9_7.tar.bz2
-SOURCES/linux-5.14.0-611.16.1.el9_7.tar.xz
+SOURCES/kernel-abi-stablelists-5.14.0-611.20.1.el9_7.tar.bz2
+SOURCES/kernel-kabi-dw-5.14.0-611.20.1.el9_7.tar.bz2
+SOURCES/linux-5.14.0-611.20.1.el9_7.tar.xz
 SOURCES/nvidiagpuoot001.x509
 SOURCES/olima1.x509
 SOURCES/olimaca1.x509
diff --git a/.kernel.metadata b/.kernel.metadata
index 88a9b2c78..0b4114be9 100644
--- a/.kernel.metadata
+++ b/.kernel.metadata
@@ -1,6 +1,6 @@
-31e7f4937937748cabdb75462568d316ce8865af SOURCES/kernel-abi-stablelists-5.14.0-611.16.1.el9_7.tar.bz2
-3c2b435e3a907e78a8bd4ed79c8e00db196365b3 SOURCES/kernel-kabi-dw-5.14.0-611.16.1.el9_7.tar.bz2
-33089a9379d98a1f2d067344a45048ea32cb4939 SOURCES/linux-5.14.0-611.16.1.el9_7.tar.xz
+1e30289092b81ba717ae5e7f571e1e45bf6c9fe8 SOURCES/kernel-abi-stablelists-5.14.0-611.20.1.el9_7.tar.bz2
+070fdef7e39adf3321eb25910d3da5b3eccb36ec SOURCES/kernel-kabi-dw-5.14.0-611.20.1.el9_7.tar.bz2
+650b2127d6afd5fbed75f4c69c1dff313a99e32f SOURCES/linux-5.14.0-611.20.1.el9_7.tar.xz
 4fff8080e88afffc06d8ef5004db8d53bb21237f SOURCES/nvidiagpuoot001.x509
 706ae01dd14efa38f0f565a3706acac19c78df02 SOURCES/olima1.x509
 6e3f0d61414c0b50f48dc2d4c3b3cd024e1c3a43 SOURCES/olimaca1.x509
diff --git a/SOURCES/Makefile.rhelver b/SOURCES/Makefile.rhelver
index b6d4683a5..dc11f32df 100644
--- a/SOURCES/Makefile.rhelver
+++ b/SOURCES/Makefile.rhelver
@@ -12,7 +12,7 @@ RHEL_MINOR = 7
 #
 # Use this spot to avoid future merge conflicts.
 # Do not trim this comment.
-RHEL_RELEASE = 611.16.1
+RHEL_RELEASE = 611.20.1
 
 #
 # ZSTREAM
diff --git a/SOURCES/kernel.changelog b/SOURCES/kernel.changelog
index c54e67add..df8b20ef9 100644
--- a/SOURCES/kernel.changelog
+++ b/SOURCES/kernel.changelog
@@ -1,3 +1,34 @@
+* Sat Dec 20 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-611.20.1.el9_7]
+- HID: multitouch: fix slab out-of-bounds access in mt_report_fixup() (CKI Backport Bot) [RHEL-124607] {CVE-2025-39806}
+- sctp: avoid NULL dereference when chunk data buffer is missing (CKI Backport Bot) [RHEL-134001] {CVE-2025-40240}
+- selftests/landlock: Add a new test for setuid() (Štěpán Horáček) [RHEL-132712]
+- selftests/landlock: Split signal_scoping_threads tests (Štěpán Horáček) [RHEL-132712]
+- landlock: Always allow signals between threads of the same process (Štěpán Horáček) [RHEL-132712]
+- landlock: Prepare to add second errata (Štěpán Horáček) [RHEL-132712]
+- landlock: Add the errata interface (Štěpán Horáček) [RHEL-132712]
+- selftests/landlock: Test signal scoping for threads (Štěpán Horáček) [RHEL-132712]
+- selftests/landlock: Test signal scoping (Štěpán Horáček) [RHEL-132712]
+- landlock: Add signal scoping (Štěpán Horáček) [RHEL-132712]
+Resolves: RHEL-124607, RHEL-132712, RHEL-134001
+
+* Thu Dec 18 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-611.19.1.el9_7]
+- scsi: st: Skip buffer flush for information ioctls (John Meneghini) [RHEL-133543]
+- scsi: st: Separate st-unique ioctl handling from SCSI common ioctl handling (John Meneghini) [RHEL-133543]
+- audit: fix out-of-bounds read in audit_compare_dname_path() (Richard Guy Briggs) [RHEL-119176] {CVE-2025-39840}
+Resolves: RHEL-119176, RHEL-133543
+
+* Sat Dec 13 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-611.18.1.el9_7]
+- NFS: remove revoked delegation from server's delegation list (Benjamin Coddington) [RHEL-134237]
+- redhat: use RELEASE_LOCALVERSION also for dist-get-tag (Jan Stancek)
+- redhat: introduce RELEASE_LOCALVERSION variable (Jan Stancek)
+Resolves: RHEL-134237
+
+* Thu Dec 11 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-611.17.1.el9_7]
+- smb: client: handle lack of IPC in dfs_cache_refresh() (Paulo Alcantara) [RHEL-126165]
+- smb: client: get rid of d_drop() in cifs_do_rename() (Paulo Alcantara) [RHEL-124917]
+- mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory (CKI Backport Bot) [RHEL-119150] {CVE-2025-39883}
+Resolves: RHEL-119150, RHEL-124917, RHEL-126165
+
 * Sun Dec 07 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-611.16.1.el9_7]
 - CVE-2025-38499 kernel: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (Abhi Das) [RHEL-129261] {CVE-2025-38499}
 - tls: wait for pending async decryptions if tls_strp_msg_hold fails (CKI Backport Bot) [RHEL-128860] {CVE-2025-40176}
diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec
index 2b1ccd55b..489e784ce 100644
--- a/SPECS/kernel.spec
+++ b/SPECS/kernel.spec
@@ -165,15 +165,15 @@ Summary: The Linux kernel
 # define buildid .local
 %define specversion 5.14.0
 %define patchversion 5.14
-%define pkgrelease 611.16.1
+%define pkgrelease 611.20.1
 %define kversion 5
-%define tarfile_release 5.14.0-611.16.1.el9_7
+%define tarfile_release 5.14.0-611.20.1.el9_7
 # This is needed to do merge window version magic
 %define patchlevel 14
 # This allows pkg_release to have configurable %%{?dist} tag
-%define specrelease 611.16.1%{?buildid}%{?dist}
+%define specrelease 611.20.1%{?buildid}%{?dist}
 # This defines the kabi tarball version
-%define kabiversion 5.14.0-611.16.1.el9_7
+%define kabiversion 5.14.0-611.20.1.el9_7
 
 #
 # End of genspec.sh variables
@@ -3768,7 +3768,7 @@ fi
 #
 #
 %changelog
-* Mon Dec 22 2025 Andrew Lukoshko <alukoshko@almalinux.org> - 5.14.0-611.16.1
+* Wed Jan 14 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 5.14.0-611.20.1
 - hpsa: bring back deprecated PCI ids #CFHack #CFHack2024
 - mptsas: bring back deprecated PCI ids #CFHack #CFHack2024
 - megaraid_sas: bring back deprecated PCI ids #CFHack #CFHack2024
@@ -3779,11 +3779,38 @@ fi
 - kernel/rh_messages.h: enable all disabled pci devices by moving to
   unmaintained
 
-* Mon Dec 22 2025 Eduard Abdullin <eabdullin@almalinux.org> - 5.14.0-611.16.1
+* Wed Jan 14 2026 Eduard Abdullin <eabdullin@almalinux.org> - 5.14.0-611.20.1
 - Use AlmaLinux OS secure boot cert
 - Debrand for AlmaLinux OS
 - Add KVM support for ppc64le
 
+* Sat Dec 20 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-611.20.1.el9_7]
+- HID: multitouch: fix slab out-of-bounds access in mt_report_fixup() (CKI Backport Bot) [RHEL-124607] {CVE-2025-39806}
+- sctp: avoid NULL dereference when chunk data buffer is missing (CKI Backport Bot) [RHEL-134001] {CVE-2025-40240}
+- selftests/landlock: Add a new test for setuid() (Štěpán Horáček) [RHEL-132712]
+- selftests/landlock: Split signal_scoping_threads tests (Štěpán Horáček) [RHEL-132712]
+- landlock: Always allow signals between threads of the same process (Štěpán Horáček) [RHEL-132712]
+- landlock: Prepare to add second errata (Štěpán Horáček) [RHEL-132712]
+- landlock: Add the errata interface (Štěpán Horáček) [RHEL-132712]
+- selftests/landlock: Test signal scoping for threads (Štěpán Horáček) [RHEL-132712]
+- selftests/landlock: Test signal scoping (Štěpán Horáček) [RHEL-132712]
+- landlock: Add signal scoping (Štěpán Horáček) [RHEL-132712]
+
+* Thu Dec 18 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-611.19.1.el9_7]
+- scsi: st: Skip buffer flush for information ioctls (John Meneghini) [RHEL-133543]
+- scsi: st: Separate st-unique ioctl handling from SCSI common ioctl handling (John Meneghini) [RHEL-133543]
+- audit: fix out-of-bounds read in audit_compare_dname_path() (Richard Guy Briggs) [RHEL-119176] {CVE-2025-39840}
+
+* Sat Dec 13 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-611.18.1.el9_7]
+- NFS: remove revoked delegation from server's delegation list (Benjamin Coddington) [RHEL-134237]
+- redhat: use RELEASE_LOCALVERSION also for dist-get-tag (Jan Stancek)
+- redhat: introduce RELEASE_LOCALVERSION variable (Jan Stancek)
+
+* Thu Dec 11 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-611.17.1.el9_7]
+- smb: client: handle lack of IPC in dfs_cache_refresh() (Paulo Alcantara) [RHEL-126165]
+- smb: client: get rid of d_drop() in cifs_do_rename() (Paulo Alcantara) [RHEL-124917]
+- mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory (CKI Backport Bot) [RHEL-119150] {CVE-2025-39883}
+
 * Sun Dec 07 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-611.16.1.el9_7]
 - CVE-2025-38499 kernel: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (Abhi Das) [RHEL-129261] {CVE-2025-38499}
 - tls: wait for pending async decryptions if tls_strp_msg_hold fails (CKI Backport Bot) [RHEL-128860] {CVE-2025-40176}