diff --git a/kernel.spec b/kernel.spec
index 74db7a1dc..c5fd5f13d 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -38,10 +38,10 @@
 # define buildid .local
 
 %define specversion 4.18.0
-%define pkgrelease 552.2.1.el8_10
+%define pkgrelease 552.3.1.el8_10
 
 # allow pkg_release to have configurable %%{?dist} tag
-%define specrelease 552.2.1%{?dist}
+%define specrelease 552.3.1%{?dist}
 
 %define pkg_release %{specrelease}%{?buildid}
 
@@ -2696,6 +2696,35 @@ fi
 #
 #
 %changelog
+* Sat May 11 2024 Denys Vlasenko <dvlasenk@redhat.com> [4.18.0-552.3.1.el8_10]
+- netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout (Phil Sutter) [RHEL-30076] {CVE-2024-26643}
+- netfilter: nf_tables: disallow anonymous set with timeout flag (Phil Sutter) [RHEL-30080] {CVE-2024-26642}
+- selftests/bpf: Fix pyperf180 compilation failure with clang18 (Artem Savkov) [RHEL-35576]
+- md/raid5: fix atomicity violation in raid5_cache_count (Nigel Croxon) [RHEL-27930] {CVE-2024-23307}
+- usb: ulpi: Fix debugfs directory leak (Desnes Nunes) [RHEL-33287] {CVE-2024-26919}
+- powerpc/pseries: Fix potential memleak in papr_get_attr() (Mamatha Inamdar) [RHEL-35213] {CVE-2022-48669}
+- USB: usb-storage: Prevent divide-by-0 error in isd200_ata_command (Desnes Nunes) [RHEL-35122] {CVE-2024-27059}
+- NFSv4: fairly test all delegations on a SEQ4_ revocation (Benjamin Coddington) [RHEL-34912]
+- USB: core: Fix deadlock in usb_deauthorize_interface() (Desnes Nunes) [RHEL-35002] {CVE-2024-26934}
+- usb: xhci: Add error handling in xhci_map_urb_for_dma (Desnes Nunes) [RHEL-34958] {CVE-2024-26964}
+- fs: sysfs: Fix reference leak in sysfs_break_active_protection() (Ewan D. Milne) [RHEL-35076] {CVE-2024-26993}
+- xhci: handle isoc Babble and Buffer Overrun events properly (Desnes Nunes) [RHEL-31297] {CVE-2024-26659}
+- xhci: process isoc TD properly when there was a transaction error mid TD. (Desnes Nunes) [RHEL-31297] {CVE-2024-26659}
+- USB: core: Fix deadlock in port "disable" sysfs attribute (Desnes Nunes) [RHEL-35006] {CVE-2024-26933}
+- USB: core: Add hub_get() and hub_put() routines (Desnes Nunes) [RHEL-35006] {CVE-2024-26933}
+- netfilter: ipset: Missing gc cancellations fixed (Phil Sutter) [RHEL-30521]
+- netfilter: ipset: fix performance regression in swap operation (Phil Sutter) [RHEL-30521]
+- netfilter: ipset: Fix "INFO: rcu detected stall in hash_xxx" reports (Phil Sutter) [RHEL-30521]
+- netfilter: ipset: fix race condition between swap/destroy and kernel side add/del/test (Phil Sutter) [RHEL-30521]
+- x86/apic/x2apic: Fix a NULL pointer deref when handling a dying cpu (David Arcari) [RHEL-32516]
+- x86/coco: Disable 32-bit emulation by default on TDX and SEV (Vitaly Kuznetsov) [RHEL-25087] {CVE-2024-25744}
+- x86: Make IA32_EMULATION boot time configurable (Vitaly Kuznetsov) [RHEL-25087] {CVE-2024-25744}
+- x86/entry: Make IA32 syscalls' availability depend on ia32_enabled() (Vitaly Kuznetsov) [RHEL-25087] {CVE-2024-25744}
+- x86/elf: Make loading of 32bit processes depend on ia32_enabled() (Vitaly Kuznetsov) [RHEL-25087] {CVE-2024-25744}
+- x86/entry: Rename ignore_sysret() (Vitaly Kuznetsov) [RHEL-25087] {CVE-2024-25744}
+- x86/cpu: Don't write CSTAR MSR on Intel CPUs (Vitaly Kuznetsov) [RHEL-25087] {CVE-2024-25744}
+- x86: Introduce ia32_enabled() (Vitaly Kuznetsov) [RHEL-25087] {CVE-2024-25744}
+
 * Mon May 06 2024 Denys Vlasenko <dvlasenk@redhat.com> [4.18.0-552.2.1.el8_10]
 - s390/ptrace: handle setting of fpc register correctly (Tobias Huschle) [RHEL-29106] {CVE-2023-52598}
 - net/smc: fix illegal rmb_desc access in SMC-D connection dump (Tobias Huschle) [RHEL-27746] {CVE-2024-26615}
diff --git a/sources b/sources
index 6b99e7d84..ea6b92825 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
-SHA512 (linux-4.18.0-552.2.1.el8_10.tar.xz) = 25998e91af1523779460a1e566bc036583fdf7f72291454e1c5671baedfad1a838d5c3cf3de9c5f544b4deee1bc221dd0445076ce77720cc266ba088d8b32a86
-SHA512 (kernel-abi-stablelists-4.18.0-552.tar.bz2) = ccd5e87614b2998183dfe4b1f4bebc1b6717da6c0b7d6daa18fee8abba70d5a155a4a009fc0f0355640a1b426e3ad5818dc435942b235511619a6f1639e8ff5e
+SHA512 (linux-4.18.0-552.3.1.el8_10.tar.xz) = fbed707fb8c6429f8fd47b5c099bda1f0c69c35505dcf72510fd040ef53a470256e16c796031dcc036f1f802876bfc9ac9f340c6788586f241bf173b5d63e0a9
+SHA512 (kernel-abi-stablelists-4.18.0-552.tar.bz2) = d9f510314ddd07fb118aac5bf66e9af5613d0bbce0e07618e45510d66a4161aa69b0405391b6f309461563ff7f9f374ce69dff61bd7839a15bdacd914ae332b7
 SHA512 (kernel-kabi-dw-4.18.0-552.tar.bz2) = 8a671ed3c9b7f4b25fd4e594b62bc4a26474cb705d3ed22ca376618b3c7962fc72ace1ffd02c9c3a192d9d2c449d38228809542d7f16ebad16f8127020eb2faf