diff --git a/.gitignore b/.gitignore
index 3651afcc9..7c9a3690c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,7 +1,7 @@
 fedoraimaca.x509
-kernel-abi-stablelists-6.12.0-124.20.1.el10_1.tar.xz
-kernel-kabi-dw-6.12.0-124.20.1.el10_1.tar.xz
-linux-6.12.0-124.20.1.el10_1.tar.xz
+kernel-abi-stablelists-6.12.0-124.21.1.el10_1.tar.xz
+kernel-kabi-dw-6.12.0-124.21.1.el10_1.tar.xz
+linux-6.12.0-124.21.1.el10_1.tar.xz
 nvidiagpuoot001.x509
 redhatsecureboot501.cer
 redhatsecureboot504.cer
diff --git a/Makefile.rhelver b/Makefile.rhelver
index ed5527efd..76c6c89c6 100644
--- a/Makefile.rhelver
+++ b/Makefile.rhelver
@@ -12,7 +12,7 @@ RHEL_MINOR = 1
 #
 # Use this spot to avoid future merge conflicts.
 # Do not trim this comment.
-RHEL_RELEASE = 124.20.1
+RHEL_RELEASE = 124.21.1
 
 #
 # RHEL_REBASE_NUM
diff --git a/kernel.changelog b/kernel.changelog
index 093ba771a..4e00b19a3 100644
--- a/kernel.changelog
+++ b/kernel.changelog
@@ -1,3 +1,8 @@
+* Thu Dec 04 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-124.21.1.el10_1]
+- CVE-2025-38499 kernel: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (Abhi Das) [RHEL-129282] {CVE-2025-38499}
+- net: tun: Update napi->skb after XDP process (CKI Backport Bot) [RHEL-122247] {CVE-2025-39984}
+Resolves: RHEL-122247, RHEL-129282
+
 * Tue Dec 02 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-124.20.1.el10_1]
 - iommu/vt-d: Disallow dirty tracking if incoherent page walk (CKI Backport Bot) [RHEL-125482] {CVE-2025-40058}
 - net/mlx5: fs, fix UAF in flow counter release (Michal Schmidt) [RHEL-124432] {CVE-2025-39979}
diff --git a/kernel.spec b/kernel.spec
index f272297ac..40969cff9 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -176,15 +176,15 @@ Summary: The Linux kernel
 %define specrpmversion 6.12.0
 %define specversion 6.12.0
 %define patchversion 6.12
-%define pkgrelease 124.20.1
+%define pkgrelease 124.21.1
 %define kversion 6
-%define tarfile_release 6.12.0-124.20.1.el10_1
+%define tarfile_release 6.12.0-124.21.1.el10_1
 # This is needed to do merge window version magic
 %define patchlevel 12
 # This allows pkg_release to have configurable %%{?dist} tag
-%define specrelease 124.20.1%{?buildid}%{?dist}
+%define specrelease 124.21.1%{?buildid}%{?dist}
 # This defines the kabi tarball version
-%define kabiversion 6.12.0-124.20.1.el10_1
+%define kabiversion 6.12.0-124.21.1.el10_1
 
 # If this variable is set to 1, a bpf selftests build failure will cause a
 # fatal kernel package build error
@@ -4389,14 +4389,14 @@ fi\
 #
 #
 %changelog
-* Tue Dec 09 2025 Eduard Abdullin <eabdullin@almalinux.org> - 6.12.0-124.20.1
+* Mon Dec 22 2025 Eduard Abdullin <eabdullin@almalinux.org> - 6.12.0-124.21.1
 - Debrand for AlmaLinux OS
 - Use AlmaLinux OS secure boot cert
 
-* Tue Dec 09 2025 Neal Gompa <ngompa@almalinux.org> - 6.12.0-124.20.1
+* Mon Dec 22 2025 Neal Gompa <ngompa@almalinux.org> - 6.12.0-124.21.1
 - Enable Btrfs support for all kernel variants
 
-* Tue Dec 09 2025 Andrew Lukoshko <alukoshko@almalinux.org> - 6.12.0-124.20.1
+* Mon Dec 22 2025 Andrew Lukoshko <alukoshko@almalinux.org> - 6.12.0-124.21.1
 - hpsa: bring back deprecated PCI ids #CFHack #CFHack2024
 - mptsas: bring back deprecated PCI ids #CFHack #CFHack2024
 - megaraid_sas: bring back deprecated PCI ids #CFHack #CFHack2024
@@ -4407,6 +4407,10 @@ fi\
 - kernel/rh_messages.h: enable all disabled pci devices by moving to
   unmaintained
 
+* Thu Dec 04 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-124.21.1.el10_1]
+- CVE-2025-38499 kernel: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (Abhi Das) [RHEL-129282] {CVE-2025-38499}
+- net: tun: Update napi->skb after XDP process (CKI Backport Bot) [RHEL-122247] {CVE-2025-39984}
+
 * Tue Dec 02 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-124.20.1.el10_1]
 - iommu/vt-d: Disallow dirty tracking if incoherent page walk (CKI Backport Bot) [RHEL-125482] {CVE-2025-40058}
 - net/mlx5: fs, fix UAF in flow counter release (Michal Schmidt) [RHEL-124432] {CVE-2025-39979}
diff --git a/sources b/sources
index d52aaf969..594acf092 100644
--- a/sources
+++ b/sources
@@ -1,7 +1,7 @@
 SHA512 (fedoraimaca.x509) = e04809394f4472c17e86d7024dee34f03fb68e82a85502fd5b00535202c72e57626a8376b2cf991b7e1e46404aa5ab8d189ebf320e0dd37d49e7efbc925c7a2e
-SHA512 (kernel-abi-stablelists-6.12.0-124.20.1.el10_1.tar.xz) = d72912e431e842bf3a63a3211ff91ec5e33cc986f82a5e81866cd25cd16f45d60fa62202831d96cb0bbd8aaa054364a585b0e34dbbbe1cd72c38833529039e60 
-SHA512 (kernel-kabi-dw-6.12.0-124.20.1.el10_1.tar.xz) = d4fad9591096d5c38bca0a0a2aa559130ef085ea09160f6979014e9316ae1ef29f9fbe0de90ce65c0281bf8d938c6e32ec580022a517467f71ec591a27f2a903 
-SHA512 (linux-6.12.0-124.20.1.el10_1.tar.xz) = 09031bc085358168fd20e5385033ede032ef6fa116243f081bbce27475659acf8a5e5b6c30901aedd09e7b31bf646eeb3844658ab221bf5c82875a547856af20 
+SHA512 (kernel-abi-stablelists-6.12.0-124.21.1.el10_1.tar.xz) = 1173a03e63aaed31c49470e25a5595e7c575e0f52e2f4e14494794499e14a032a89d6c8de63deac2c3ab3e620f001d63b86b04ed0dc0e46b8b0819b48ed3c456 
+SHA512 (kernel-kabi-dw-6.12.0-124.21.1.el10_1.tar.xz) = 6168c461185a588a463a5bd543a2ae6744900a8c2d5288d0aa8d239f9fc2af9be1c26c8a0d32a8c0b5f4bb5c443a3d356d85721b652f20b16b1dab02ad80a411 
+SHA512 (linux-6.12.0-124.21.1.el10_1.tar.xz) = a1d01f29f01f9fbf8cda36f37524cdc6af0f5ee16d210609e9639d650f2208cec0b64901e927dba24659606101c420b68cfa08586d978748d038b77273705869 
 SHA512 (nvidiagpuoot001.x509) = b42f836e1cfa07890cb6ca13de9c3950e306c9ec7686c4c09f050bb68869f5d82962b2cd5f3aa0eb7a0f3a3ae54e9c480eafbac5df53aa92c295ff511a8c59fe
 SHA512 (redhatsecureboot501.cer) = eb2c2d342680d4c3453d3e4f30abdd1f6b0e98292e1be0410d0163afd01552a863b70ffaabeecd6e3981cd4d167198091a837c7d70f96a3a06de2d28b3355308
 SHA512 (redhatsecureboot504.cer) = d6e9b54c378769bb934ead996c1003b495bde48a17d02c8880124f36a529ef799f1e3a97202f9536c71c0d2cefe20a3532053ab73ce798ba550934eedce23ff9