diff --git a/SOURCES/1100-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch b/SOURCES/1100-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch
new file mode 100644
index 000000000..88227ab88
--- /dev/null
+++ b/SOURCES/1100-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch
@@ -0,0 +1,75 @@
+From: Andrew Lukoshko <alukoshko@almalinux.org>
+Subject: [PATCH AlmaLinux 8] xfrm: esp: avoid in-place decrypt on shared skb frags
+
+Backport of upstream commit f4c50a4034e6 ("xfrm: esp: avoid in-place
+decrypt on shared skb frags") for AlmaLinux 8 (4.18 kernel).
+
+Verified to apply with `patch -p1 -F0` (no offset, no fuzz, no rejects)
+against kernel-4.18.0-553.123.1.el8_10.
+
+ESP-in-UDP packets built from caller-owned pages (e.g. pipe pages
+attached via udp_sendpage(2) -> ip_append_page() -> skb_append_pagefrags())
+look like ordinary uncloned nonlinear skbs. ESP input then takes the
+no-COW fast path and decrypts in place over data that is not owned
+privately by the skb, which can be read or modified by an unprivileged
+process holding the pages.
+
+Tree adaptation:
+  * Upstream patches __ip_append_data() / __ip6_append_data(), the
+    MSG_SPLICE_PAGES branch added by 7da0dde68486 / 6d8192bd69bb.
+    That feature is not present in the 4.18 tree.
+  * The age-equivalent producer is ip_append_page() (called from
+    udp_sendpage). Mark frags there using SKBTX_SHARED_FRAG, which
+    is what skb_has_shared_frag() already checks on this kernel.
+  * UDPv6 has no .sendpage op in this tree, so the esp6 hunk is
+    defense-in-depth in case a later backport adds one.
+  * The esp4/esp6 receiver-side hunks are taken verbatim from
+    upstream.
+
+Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")
+Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible")
+(cherry picked from commit f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4)
+Signed-off-by: Andrew Lukoshko <alukoshko@almalinux.org>
+---
+ net/ipv4/esp4.c      | 3 ++-
+ net/ipv4/ip_output.c | 2 ++
+ net/ipv6/esp6.c      | 3 ++-
+ 3 files changed, 6 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/esp4.c
++++ b/net/ipv4/esp4.c
+@@ -913,7 +913,8 @@
+ 			nfrags = 1;
+ 
+ 			goto skip_cow;
+-		} else if (!skb_has_frag_list(skb)) {
++		} else if (!skb_has_frag_list(skb) &&
++			   !skb_has_shared_frag(skb)) {
+ 			nfrags = skb_shinfo(skb)->nr_frags;
+ 			nfrags++;
+ 
+--- a/net/ipv4/ip_output.c
++++ b/net/ipv4/ip_output.c
+@@ -1346,6 +1346,8 @@
+ 			err = -EMSGSIZE;
+ 			goto error;
+ 		}
++		if (!(flags & MSG_NO_SHARED_FRAGS))
++			skb_shinfo(skb)->tx_flags |= SKBTX_SHARED_FRAG;
+ 
+ 		if (skb->ip_summed == CHECKSUM_NONE) {
+ 			__wsum csum;
+--- a/net/ipv6/esp6.c
++++ b/net/ipv6/esp6.c
+@@ -971,7 +971,8 @@
+ 			nfrags = 1;
+ 
+ 			goto skip_cow;
+-		} else if (!skb_has_frag_list(skb)) {
++		} else if (!skb_has_frag_list(skb) &&
++			   !skb_has_shared_frag(skb)) {
+ 			nfrags = skb_shinfo(skb)->nr_frags;
+ 			nfrags++;
+ 
+--
+2.43.0
diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec
index f35e6a04f..496b8a8aa 100644
--- a/SPECS/kernel.spec
+++ b/SPECS/kernel.spec
@@ -38,10 +38,11 @@
 # define buildid .local
 
 %define specversion 4.18.0
-%define pkgrelease 553.123.1.el8_10
+%define pkgrelease 553.123.2.el8_10
+%define tarfile_release 553.123.1.el8_10
 
 # allow pkg_release to have configurable %%{?dist} tag
-%define specrelease 553.123.1%{?dist}
+%define specrelease 553.123.2%{?dist}
 
 %define pkg_release %{specrelease}%{?buildid}
 
@@ -435,7 +436,7 @@ BuildRequires: xmlto
 BuildRequires: asciidoc
 %endif
 
-Source0: linux-%{specversion}-%{pkgrelease}.tar.xz
+Source0: linux-%{specversion}-%{tarfile_release}.tar.xz
 
 Source9: x509.genkey
 
@@ -538,6 +539,7 @@ Patch2005: 0005-Bring-back-deprecated-pci-ids-to-qla2xxx-driver.patch
 Patch2006: 0006-Bring-back-deprecated-pci-ids-to-lpfc-driver.patch
 Patch2007: 0007-Bring-back-deprecated-pci-ids-to-qla4xxx-driver.patch
 Patch2008: 0008-Bring-back-deprecated-pci-ids-to-be2iscsi-driver.patch
+Patch1100: 1100-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch
 
 # END OF PATCH DEFINITIONS
 
@@ -1096,9 +1098,9 @@ ApplyOptionalPatch()
   fi
 }
 
-%setup -q -n %{name}-%{specversion}-%{pkgrelease} -c
-cp -v %{SOURCE9000} linux-%{specversion}-%{pkgrelease}/certs/rhel.pem
-mv linux-%{specversion}-%{pkgrelease} linux-%{KVERREL}
+%setup -q -n %{name}-%{specversion}-%{tarfile_release} -c
+cp -v %{SOURCE9000} linux-%{specversion}-%{tarfile_release}/certs/rhel.pem
+mv linux-%{specversion}-%{tarfile_release} linux-%{KVERREL}
 
 cd linux-%{KVERREL}
 
@@ -1115,6 +1117,7 @@ ApplyPatch 0005-Bring-back-deprecated-pci-ids-to-qla2xxx-driver.patch
 ApplyPatch 0006-Bring-back-deprecated-pci-ids-to-lpfc-driver.patch
 ApplyPatch 0007-Bring-back-deprecated-pci-ids-to-qla4xxx-driver.patch
 ApplyPatch 0008-Bring-back-deprecated-pci-ids-to-be2iscsi-driver.patch
+ApplyPatch 1100-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch
 
 # END OF PATCH APPLICATIONS
 
@@ -2713,6 +2716,9 @@ fi
 #
 #
 %changelog
+* Thu May 07 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 4.18.0-553.123.2
+- xfrm: esp: avoid in-place decrypt on shared skb frags
+
 * Tue May 05 2026 Andrei Lukoshko <alukoshko@almalinux.org> - 4.18.0-553.123.1
 - hpsa: bring back deprecated PCI ids #CFHack #CFHack2024
 - mptsas: bring back deprecated PCI ids #CFHack #CFHack2024