diff --git a/.gitignore b/.gitignore
index a76fba7cb..96104c306 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,6 +1,6 @@
-SOURCES/kernel-abi-stablelists-5.14.0-611.47.1.el9_7.tar.bz2
-SOURCES/kernel-kabi-dw-5.14.0-611.47.1.el9_7.tar.bz2
-SOURCES/linux-5.14.0-611.47.1.el9_7.tar.xz
+SOURCES/kernel-abi-stablelists-5.14.0-611.49.1.el9_7.tar.bz2
+SOURCES/kernel-kabi-dw-5.14.0-611.49.1.el9_7.tar.bz2
+SOURCES/linux-5.14.0-611.49.1.el9_7.tar.xz
 SOURCES/nvidiagpuoot001.x509
 SOURCES/olima1.x509
 SOURCES/olimaca1.x509
diff --git a/.kernel.metadata b/.kernel.metadata
index ec21b8069..a7e9ff4c5 100644
--- a/.kernel.metadata
+++ b/.kernel.metadata
@@ -1,6 +1,6 @@
-f1bf3a3cd8dcea12b1cedf7c2b445b80d7674a70 SOURCES/kernel-abi-stablelists-5.14.0-611.47.1.el9_7.tar.bz2
-ce89facb73b41d959399afdbfca92fd9aebe451a SOURCES/kernel-kabi-dw-5.14.0-611.47.1.el9_7.tar.bz2
-ae67c1f2760a071116d7367ceb7e2326f10349cc SOURCES/linux-5.14.0-611.47.1.el9_7.tar.xz
+efaea1c86bb55ce4cdcdcc30f88164ffa267f709 SOURCES/kernel-abi-stablelists-5.14.0-611.49.1.el9_7.tar.bz2
+b7925ed16f67d10e278605fabe191790e2e9751f SOURCES/kernel-kabi-dw-5.14.0-611.49.1.el9_7.tar.bz2
+999cc8ec86838e7c6087d78d8380f4cc960d9cb3 SOURCES/linux-5.14.0-611.49.1.el9_7.tar.xz
 4fff8080e88afffc06d8ef5004db8d53bb21237f SOURCES/nvidiagpuoot001.x509
 706ae01dd14efa38f0f565a3706acac19c78df02 SOURCES/olima1.x509
 6e3f0d61414c0b50f48dc2d4c3b3cd024e1c3a43 SOURCES/olimaca1.x509
diff --git a/SOURCES/Makefile.rhelver b/SOURCES/Makefile.rhelver
index 44b53fecb..2c12c4941 100644
--- a/SOURCES/Makefile.rhelver
+++ b/SOURCES/Makefile.rhelver
@@ -12,7 +12,7 @@ RHEL_MINOR = 7
 #
 # Use this spot to avoid future merge conflicts.
 # Do not trim this comment.
-RHEL_RELEASE = 611.47.1
+RHEL_RELEASE = 611.49.1
 
 #
 # ZSTREAM
diff --git a/SOURCES/kernel.changelog b/SOURCES/kernel.changelog
index 2b735b225..17a9f2a65 100644
--- a/SOURCES/kernel.changelog
+++ b/SOURCES/kernel.changelog
@@ -1,3 +1,22 @@
+* Tue Apr 07 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-611.49.1.el9_7]
+- rtnetlink: Allocate vfinfo size for VF GUIDs when supported (Kamal Heib) [RHEL-149469] {CVE-2025-22075}
+Resolves: RHEL-149469
+
+* Fri Apr 03 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-611.48.1.el9_7]
+- scsi: qla2xxx: Fix improper freeing of purex item (CKI Backport Bot) [RHEL-159222] {CVE-2025-68741}
+- NFSv4: Check for delegation validity in nfs_start_delegation_return_locked() (Scott Mayhew) [RHEL-151414]
+- Bluetooth: MGMT: Fix memory leak in set_ssp_complete (David Marlin) [RHEL-151728]
+- Bluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work (David Marlin) [RHEL-151728]
+- Bluetooth: btusb: revert use of devm_kzalloc in btusb (David Marlin) [RHEL-151728]
+- Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF (David Marlin) [RHEL-151728]
+- net: hv_netvsc: reject RSS hash key programming without RX indirection table (Medha Mummigatti) [RHEL-150571]
+- net/sched: sch_cake: Fix incorrect qlen reduction in cake_drop (CKI Backport Bot) [RHEL-150455] {CVE-2025-39766}
+- net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit (CKI Backport Bot) [RHEL-150455] {CVE-2025-39766}
+- iommu/vt-d: Deduplicate cache_tag_flush_all by reusing flush_range (Jerry Snitselaar) [RHEL-144218]
+- iommu/vt-d: Fix missing PASID in dev TLB flush with cache_tag_flush_all (Jerry Snitselaar) [RHEL-144218]
+- i40e: validate ring_len parameter against hardware-specific values (CKI Backport Bot) [RHEL-141722]
+Resolves: RHEL-141722, RHEL-144218, RHEL-150455, RHEL-150571, RHEL-151414, RHEL-151728, RHEL-159222
+
 * Tue Mar 31 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-611.47.1.el9_7]
 - net/mlx5: Fix ECVF vports unload on shutdown flow (CKI Backport Bot) [RHEL-154537] {CVE-2025-38109}
 - netfilter: nf_tables: fix use-after-free in nf_tables_addchain() (CKI Backport Bot) [RHEL-153269] {CVE-2026-23231}
diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec
index dfaaab669..8129465c2 100644
--- a/SPECS/kernel.spec
+++ b/SPECS/kernel.spec
@@ -165,15 +165,15 @@ Summary: The Linux kernel
 # define buildid .local
 %define specversion 5.14.0
 %define patchversion 5.14
-%define pkgrelease 611.47.1
+%define pkgrelease 611.49.1
 %define kversion 5
-%define tarfile_release 5.14.0-611.47.1.el9_7
+%define tarfile_release 5.14.0-611.49.1.el9_7
 # This is needed to do merge window version magic
 %define patchlevel 14
 # This allows pkg_release to have configurable %%{?dist} tag
-%define specrelease 611.47.1%{?buildid}%{?dist}
+%define specrelease 611.49.1%{?buildid}%{?dist}
 # This defines the kabi tarball version
-%define kabiversion 5.14.0-611.47.1.el9_7
+%define kabiversion 5.14.0-611.49.1.el9_7
 
 #
 # End of genspec.sh variables
@@ -2462,11 +2462,11 @@ BuildKernel() {
 %if %{signkernel}
 
 %if 0%{?centos}
-	UKI_secureboot_name=alsecureboot001
+	UKI_secureboot_name=%{pesign_name_0}
 	UKI_secureboot_cert=%{_datadir}/pki/sb-certs/secureboot-uki-virt-%{_arch}.cer
 %else
 	# RHEL only builds UKI for x86
-	UKI_secureboot_name=alsecureboot001
+	UKI_secureboot_name=%{pesign_name_0}
 	UKI_secureboot_cert=%{_datadir}/pki/sb-certs/secureboot-uki-virt-%{_arch}.cer
 %endif
 
@@ -3771,7 +3771,7 @@ fi
 #
 #
 %changelog
-* Wed Apr 08 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 5.14.0-611.47.1
+* Tue Apr 21 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 5.14.0-611.49.1
 - hpsa: bring back deprecated PCI ids #CFHack #CFHack2024
 - mptsas: bring back deprecated PCI ids #CFHack #CFHack2024
 - megaraid_sas: bring back deprecated PCI ids #CFHack #CFHack2024
@@ -3782,11 +3782,28 @@ fi
 - kernel/rh_messages.h: enable all disabled pci devices by moving to
   unmaintained
 
-* Wed Apr 08 2026 Eduard Abdullin <eabdullin@almalinux.org> - 5.14.0-611.47.1
+* Tue Apr 21 2026 Eduard Abdullin <eabdullin@almalinux.org> - 5.14.0-611.49.1
 - Use AlmaLinux OS secure boot cert
 - Debrand for AlmaLinux OS
 - Add KVM support for ppc64le
 
+* Tue Apr 07 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-611.49.1.el9_7]
+- rtnetlink: Allocate vfinfo size for VF GUIDs when supported (Kamal Heib) [RHEL-149469] {CVE-2025-22075}
+
+* Fri Apr 03 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-611.48.1.el9_7]
+- scsi: qla2xxx: Fix improper freeing of purex item (CKI Backport Bot) [RHEL-159222] {CVE-2025-68741}
+- NFSv4: Check for delegation validity in nfs_start_delegation_return_locked() (Scott Mayhew) [RHEL-151414]
+- Bluetooth: MGMT: Fix memory leak in set_ssp_complete (David Marlin) [RHEL-151728]
+- Bluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work (David Marlin) [RHEL-151728]
+- Bluetooth: btusb: revert use of devm_kzalloc in btusb (David Marlin) [RHEL-151728]
+- Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF (David Marlin) [RHEL-151728]
+- net: hv_netvsc: reject RSS hash key programming without RX indirection table (Medha Mummigatti) [RHEL-150571]
+- net/sched: sch_cake: Fix incorrect qlen reduction in cake_drop (CKI Backport Bot) [RHEL-150455] {CVE-2025-39766}
+- net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit (CKI Backport Bot) [RHEL-150455] {CVE-2025-39766}
+- iommu/vt-d: Deduplicate cache_tag_flush_all by reusing flush_range (Jerry Snitselaar) [RHEL-144218]
+- iommu/vt-d: Fix missing PASID in dev TLB flush with cache_tag_flush_all (Jerry Snitselaar) [RHEL-144218]
+- i40e: validate ring_len parameter against hardware-specific values (CKI Backport Bot) [RHEL-141722]
+
 * Tue Mar 31 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-611.47.1.el9_7]
 - net/mlx5: Fix ECVF vports unload on shutdown flow (CKI Backport Bot) [RHEL-154537] {CVE-2025-38109}
 - netfilter: nf_tables: fix use-after-free in nf_tables_addchain() (CKI Backport Bot) [RHEL-153269] {CVE-2026-23231}