diff --git a/kernel.spec b/kernel.spec
index 9c78f73cc..51cd5c583 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -38,10 +38,10 @@
 # define buildid .local
 
 %define specversion 4.18.0
-%define pkgrelease 553.30.1.el8_10
+%define pkgrelease 553.31.1.el8_10
 
 # allow pkg_release to have configurable %%{?dist} tag
-%define specrelease 553.30.1%{?dist}
+%define specrelease 553.31.1%{?dist}
 
 %define pkg_release %{specrelease}%{?buildid}
 
@@ -2696,6 +2696,25 @@ fi
 #
 #
 %changelog
+* Fri Nov 22 2024 Denys Vlasenko <dvlasenk@redhat.com> [4.18.0-553.31.1.el8_10]
+- xfrm: fix one more kernel-infoleak in algo dumping (Sabrina Dubroca) [RHEL-65955] {CVE-2024-50110}
+- netfilter: nf_reject_ipv6: fix potential crash in nf_send_reset6() (Florian Westphal) [RHEL-66862] {CVE-2024-50256}
+- netfilter: nf_reject: Fix build warning when CONFIG_BRIDGE_NETFILTER=n (Florian Westphal) [RHEL-66862]
+- netfilter: nf_reject_ipv6: fix nf_reject_ip6_tcphdr_put() (Florian Westphal) [RHEL-66862]
+- cifs: fix return of uninitialized rc in dfs_cache_update_tgthint() (Paulo Alcantara) [RHEL-7988]
+- cifs: handle cache lookup errors different than -ENOENT (Paulo Alcantara) [RHEL-7988]
+- cifs: don't take exclusive lock for updating target hints (Paulo Alcantara) [RHEL-7988]
+- cifs: avoid re-lookups in dfs_cache_find() (Paulo Alcantara) [RHEL-7988]
+- cifs: fix potential deadlock in cache_refresh_path() (Paulo Alcantara) [RHEL-7988]
+- cifs: don't refresh cached referrals from unactive mounts (Paulo Alcantara) [RHEL-7988]
+- cifs: return ENOENT for DFS lookup_cache_entry() (Paulo Alcantara) [RHEL-7988]
+- selinux,smack: don't bypass permissions check in inode_setsecctx hook (Ondrej Mosnacek) [RHEL-66104] {CVE-2024-46695}
+- gfs2: Prevent inode creation race (Andreas Gruenbacher) [RHEL-67823]
+- gfs2: Only defer deletes when we have an iopen glock (Andreas Gruenbacher) [RHEL-67823]
+- arm64: probes: Remove broken LDR (literal) uprobe support (Mark Salter) [RHEL-66042] {CVE-2024-50099}
+- net: avoid potential underflow in qdisc_pkt_len_init() with UFO (Davide Caratti) [RHEL-65399] {CVE-2024-49949}
+- xfrm: validate new SA's prefixlen using SA family when sel.family is unset (Sabrina Dubroca) [RHEL-66457] {CVE-2024-50142}
+
 * Fri Nov 15 2024 Denys Vlasenko <dvlasenk@redhat.com> [4.18.0-553.30.1.el8_10]
 - media: edia: dvbdev: fix a use-after-free (Kate Hsuan) [RHEL-35763] {CVE-2024-27043}
 - blk-mq: fix missing blk_account_io_done() in error path (Ming Lei) [RHEL-61200]
diff --git a/sources b/sources
index 8313ab136..4f127a4bb 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
-SHA512 (linux-4.18.0-553.30.1.el8_10.tar.xz) = 13a97fe954386270130c5876c710f625d3dbb30e4b16c33f7641155ca2bc2ada00d672fffa84259911378913bcec9f5e6eb9cb4bb7a9bb3a3f02bc8d0c272203
-SHA512 (kernel-abi-stablelists-4.18.0-553.tar.bz2) = da50f79871884b80655e7f3c5e3248daffc742dfd1e3d620e16736211dafb3d7f2b6ace84cfc75eeb1b1174b3571ef3f8ceecd8b296d8946b182b4b11c014785
+SHA512 (linux-4.18.0-553.31.1.el8_10.tar.xz) = 9d0008b1df1e00b06f5baba8e217a32d8104ffdc5d2f05b2a6f24b7bd1d9c18ff268b2fe09c5791b85c6d142cf05677f5ae6dc28ca53fa7065a41fafebdd99ab
+SHA512 (kernel-abi-stablelists-4.18.0-553.tar.bz2) = 070d63e199b6ff3d212ad5865156defb4b8ab1d51e5c9889b29203808aa351da5c983fbccde6aa7b1622a5c0a0fc1a6a3f292eb31fabd15d28b3525d67ba766f
 SHA512 (kernel-kabi-dw-4.18.0-553.tar.bz2) = 8a671ed3c9b7f4b25fd4e594b62bc4a26474cb705d3ed22ca376618b3c7962fc72ace1ffd02c9c3a192d9d2c449d38228809542d7f16ebad16f8127020eb2faf