diff --git a/Makefile.rhelver b/Makefile.rhelver
index 70733844b..633a148cc 100644
--- a/Makefile.rhelver
+++ b/Makefile.rhelver
@@ -12,7 +12,7 @@ RHEL_MINOR = 3
 #
 # Use this spot to avoid future merge conflicts.
 # Do not trim this comment.
-RHEL_RELEASE = 237
+RHEL_RELEASE = 238
 
 #
 # RHEL_REBASE_NUM
diff --git a/kernel.changelog b/kernel.changelog
index 3b250b87f..ba4dbda0a 100644
--- a/kernel.changelog
+++ b/kernel.changelog
@@ -1,3 +1,36 @@
+* Wed Jun 10 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-238.el10]
+- redhat: Fix rebuild changelog generation for automotive (Oleksii Baranov)
+- powerpc/fadump: Move fadump_cma_init to setup_arch() after initmem_init() (Mamatha Inamdar) [RHEL-174883]
+- powerpc/fadump: Reserve page-aligned boot_memory_size during fadump_reserve_mem (Mamatha Inamdar) [RHEL-174883]
+- powerpc/fadump: Refactor and prepare fadump_cma_init for late init (Mamatha Inamdar) [RHEL-174883]
+- selinux: fix overlayfs mmap() and mprotect() access checks (Ondrej Mosnacek) [RHEL-179440] {CVE-2026-46054}
+- lsm: add backing_file LSM hooks (Ondrej Mosnacek) [RHEL-179440] {CVE-2026-46054}
+- fs: prepare for adding LSM blob to backing_file (Ondrej Mosnacek) [RHEL-179440] {CVE-2026-46054}
+- lsm: cleanup the debug and console output in lsm_init.c (Ondrej Mosnacek) [RHEL-179440] {CVE-2026-46054}
+- lsm: add/tweak function header comment blocks in lsm_init.c (Ondrej Mosnacek) [RHEL-179440] {CVE-2026-46054}
+- lsm: fold lsm_init_ordered() into security_init() (Ondrej Mosnacek) [RHEL-179440] {CVE-2026-46054}
+- lsm: cleanup initialize_lsm() and rename to lsm_init_single() (Ondrej Mosnacek) [RHEL-179440] {CVE-2026-46054}
+- lsm: cleanup the LSM blob size code (Ondrej Mosnacek) [RHEL-179440] {CVE-2026-46054}
+- lsm: rename/rework ordered_lsm_parse() to lsm_order_parse() (Ondrej Mosnacek) [RHEL-179440] {CVE-2026-46054}
+- lsm: rename/rework append_ordered_lsm() into lsm_order_append() (Ondrej Mosnacek) [RHEL-179440] {CVE-2026-46054}
+- lsm: rename exists_ordered_lsm() to lsm_order_exists() (Ondrej Mosnacek) [RHEL-179440] {CVE-2026-46054}
+- lsm: rework the LSM enable/disable setter/getter functions (Ondrej Mosnacek) [RHEL-179440] {CVE-2026-46054}
+- lsm: get rid of the lsm_names list and do some cleanup (Ondrej Mosnacek) [RHEL-179440] {CVE-2026-46054}
+- lsm: rework lsm_active_cnt and lsm_idlist[] (Ondrej Mosnacek) [RHEL-179440] {CVE-2026-46054}
+- lsm: rename the lsm order variables for consistency (Ondrej Mosnacek) [RHEL-179440] {CVE-2026-46054}
+- lsm: replace the name field with a pointer to the lsm_id struct (Ondrej Mosnacek) [RHEL-179440] {CVE-2026-46054}
+- lsm: rename ordered_lsm_init() to lsm_init_ordered() (Ondrej Mosnacek) [RHEL-179440] {CVE-2026-46054}
+- lsm: integrate lsm_early_cred() and lsm_early_task() into caller (Ondrej Mosnacek) [RHEL-179440] {CVE-2026-46054}
+- lsm: integrate report_lsm_order() code into caller (Ondrej Mosnacek) [RHEL-179440] {CVE-2026-46054}
+- lsm: introduce looping macros for the initialization code (Ondrej Mosnacek) [RHEL-179440] {CVE-2026-46054}
+- lsm: consolidate lsm_allowed() and prepare_lsm() into lsm_prepare() (Ondrej Mosnacek) [RHEL-179440] {CVE-2026-46054}
+- lsm: split the init code out into lsm_init.c (Ondrej Mosnacek) [RHEL-179440] {CVE-2026-46054}
+- lsm: split the notifier code out into lsm_notifier.c (Ondrej Mosnacek) [RHEL-179440] {CVE-2026-46054}
+- fs: constify file ptr in backing_file accessor helpers (Ondrej Mosnacek) [RHEL-179440]
+- exit: prevent preemption of oopsing TASK_DEAD task (CKI Backport Bot) [RHEL-180014] {CVE-2026-46173}
+- can: raw: fix ro->uniq use-after-free in raw_rcv() (Davide Caratti) [RHEL-170766] {CVE-2026-31532}
+Resolves: RHEL-162252, RHEL-170766, RHEL-174883, RHEL-179440, RHEL-180014
+
 * Fri Jun 05 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-237.el10]
 - scripts/sorttable: Fix endianness handling in build-time mcount sort (Jerome Marchand) [RHEL-180193]
 - scripts/sorttable: Allow matches to functions before function entry (Jerome Marchand) [RHEL-180193]
diff --git a/kernel.spec b/kernel.spec
index 7a1a1b492..d36bba91d 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -179,15 +179,15 @@ Summary: The Linux kernel
 %define specrpmversion 6.12.0
 %define specversion 6.12.0
 %define patchversion 6.12
-%define pkgrelease 237
+%define pkgrelease 238
 %define kversion 6
-%define tarfile_release 6.12.0-237.el10
+%define tarfile_release 6.12.0-238.el10
 # This is needed to do merge window version magic
 %define patchlevel 12
 # This allows pkg_release to have configurable %%{?dist} tag
-%define specrelease 237%{?buildid}%{?dist}
+%define specrelease 238%{?buildid}%{?dist}
 # This defines the kabi tarball version
-%define kabiversion 6.12.0-237.el10
+%define kabiversion 6.12.0-238.el10
 
 # If this variable is set to 1, a bpf selftests build failure will cause a
 # fatal kernel package build error
@@ -4570,14 +4570,14 @@ fi\
 #
 #
 %changelog
-* Tue Jun 09 2026 Eduard Abdullin <eabdullin@almalinux.org> - 6.12.0-237
+* Thu Jun 11 2026 Eduard Abdullin <eabdullin@almalinux.org> - 6.12.0-238
 - Debrand for AlmaLinux OS
 - Use AlmaLinux OS secure boot cert
 
-* Tue Jun 09 2026 Neal Gompa <ngompa@almalinux.org> - 6.12.0-237
+* Thu Jun 11 2026 Neal Gompa <ngompa@almalinux.org> - 6.12.0-238
 - Enable Btrfs support for all kernel variants
 
-* Tue Jun 09 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 6.12.0-237
+* Thu Jun 11 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 6.12.0-238
 - hpsa: bring back deprecated PCI ids #CFHack #CFHack2024
 - mptsas: bring back deprecated PCI ids #CFHack #CFHack2024
 - megaraid_sas: bring back deprecated PCI ids #CFHack #CFHack2024
@@ -4587,6 +4587,38 @@ fi\
 - kernel/rh_messages.h: enable all disabled pci devices by moving to
   unmaintained
 
+* Wed Jun 10 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-238.el10]
+- redhat: Fix rebuild changelog generation for automotive (Oleksii Baranov)
+- powerpc/fadump: Move fadump_cma_init to setup_arch() after initmem_init() (Mamatha Inamdar) [RHEL-174883]
+- powerpc/fadump: Reserve page-aligned boot_memory_size during fadump_reserve_mem (Mamatha Inamdar) [RHEL-174883]
+- powerpc/fadump: Refactor and prepare fadump_cma_init for late init (Mamatha Inamdar) [RHEL-174883]
+- selinux: fix overlayfs mmap() and mprotect() access checks (Ondrej Mosnacek) [RHEL-179440] {CVE-2026-46054}
+- lsm: add backing_file LSM hooks (Ondrej Mosnacek) [RHEL-179440] {CVE-2026-46054}
+- fs: prepare for adding LSM blob to backing_file (Ondrej Mosnacek) [RHEL-179440] {CVE-2026-46054}
+- lsm: cleanup the debug and console output in lsm_init.c (Ondrej Mosnacek) [RHEL-179440] {CVE-2026-46054}
+- lsm: add/tweak function header comment blocks in lsm_init.c (Ondrej Mosnacek) [RHEL-179440] {CVE-2026-46054}
+- lsm: fold lsm_init_ordered() into security_init() (Ondrej Mosnacek) [RHEL-179440] {CVE-2026-46054}
+- lsm: cleanup initialize_lsm() and rename to lsm_init_single() (Ondrej Mosnacek) [RHEL-179440] {CVE-2026-46054}
+- lsm: cleanup the LSM blob size code (Ondrej Mosnacek) [RHEL-179440] {CVE-2026-46054}
+- lsm: rename/rework ordered_lsm_parse() to lsm_order_parse() (Ondrej Mosnacek) [RHEL-179440] {CVE-2026-46054}
+- lsm: rename/rework append_ordered_lsm() into lsm_order_append() (Ondrej Mosnacek) [RHEL-179440] {CVE-2026-46054}
+- lsm: rename exists_ordered_lsm() to lsm_order_exists() (Ondrej Mosnacek) [RHEL-179440] {CVE-2026-46054}
+- lsm: rework the LSM enable/disable setter/getter functions (Ondrej Mosnacek) [RHEL-179440] {CVE-2026-46054}
+- lsm: get rid of the lsm_names list and do some cleanup (Ondrej Mosnacek) [RHEL-179440] {CVE-2026-46054}
+- lsm: rework lsm_active_cnt and lsm_idlist[] (Ondrej Mosnacek) [RHEL-179440] {CVE-2026-46054}
+- lsm: rename the lsm order variables for consistency (Ondrej Mosnacek) [RHEL-179440] {CVE-2026-46054}
+- lsm: replace the name field with a pointer to the lsm_id struct (Ondrej Mosnacek) [RHEL-179440] {CVE-2026-46054}
+- lsm: rename ordered_lsm_init() to lsm_init_ordered() (Ondrej Mosnacek) [RHEL-179440] {CVE-2026-46054}
+- lsm: integrate lsm_early_cred() and lsm_early_task() into caller (Ondrej Mosnacek) [RHEL-179440] {CVE-2026-46054}
+- lsm: integrate report_lsm_order() code into caller (Ondrej Mosnacek) [RHEL-179440] {CVE-2026-46054}
+- lsm: introduce looping macros for the initialization code (Ondrej Mosnacek) [RHEL-179440] {CVE-2026-46054}
+- lsm: consolidate lsm_allowed() and prepare_lsm() into lsm_prepare() (Ondrej Mosnacek) [RHEL-179440] {CVE-2026-46054}
+- lsm: split the init code out into lsm_init.c (Ondrej Mosnacek) [RHEL-179440] {CVE-2026-46054}
+- lsm: split the notifier code out into lsm_notifier.c (Ondrej Mosnacek) [RHEL-179440] {CVE-2026-46054}
+- fs: constify file ptr in backing_file accessor helpers (Ondrej Mosnacek) [RHEL-179440]
+- exit: prevent preemption of oopsing TASK_DEAD task (CKI Backport Bot) [RHEL-180014] {CVE-2026-46173}
+- can: raw: fix ro->uniq use-after-free in raw_rcv() (Davide Caratti) [RHEL-170766] {CVE-2026-31532}
+
 * Fri Jun 05 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-237.el10]
 - scripts/sorttable: Fix endianness handling in build-time mcount sort (Jerome Marchand) [RHEL-180193]
 - scripts/sorttable: Allow matches to functions before function entry (Jerome Marchand) [RHEL-180193]
diff --git a/sources b/sources
index 5254506a6..5d8e79bab 100644
--- a/sources
+++ b/sources
@@ -1,5 +1,5 @@
 SHA512 (kernel-abi-stablelists-6.6.0.tar.bz2) = 4f917598056dee5e23814621ec96ff2e4a411c8c4ba9d56ecb01b23cb96431825bedbecfcbaac9338efbf5cb21694d85497fa0bf43e7c80d9cd10bc6dd144dbd
 SHA512 (kernel-kabi-dw-6.6.0.tar.bz2) = 19308cd976031d05e18ef7f5d093218acdb89446418bab0cd956ff12cf66369915b9e64bb66fa9f20939428a60e81884fec5be3529c6c7461738d6540d3cc5c6
-SHA512 (linux-6.12.0-237.el10.tar.xz) = c592827e3999dadf0ffdafe10249d686801b3f3570adec19bc1ce9bec16af24bcf672d813abdfe6d2f73a1d482c2e7600350faedbacfb2414364becc9e33a98e
-SHA512 (kernel-abi-stablelists-6.12.0-237.el10.tar.xz) = db356620a3ffba430e52e42161881850f2f0a8735204f26ed6b75dd3567a5770933064f1cd1beb6481dbed6c3779013ba8b267f2fc60a156cd3e858e73336c73
-SHA512 (kernel-kabi-dw-6.12.0-237.el10.tar.xz) = d5f73c7e13f77828ea7fbb33417ef2073b1d4f12e03a08d34469817ff71a5548bcc0602d5777acd272f88f9b40ec00ffcefa7b5bc0fd124445585adc6370fa23
+SHA512 (linux-6.12.0-238.el10.tar.xz) = 27e314bcf4f6588432a8663cbca259fdbdc09a9c1edf207b54ab6ef16663718e850720673f3a00a3f82bbd72c667550d72ff557e3d5ad6fdade670530732f4aa
+SHA512 (kernel-abi-stablelists-6.12.0-238.el10.tar.xz) = 92080af16debf6f37e7d3cb31e2fadebaf4dfe4162d69173e2d60abe73956eaf073044e2677d391297285210cdf8d929a518e876fb35f45236d64c9e128a8135
+SHA512 (kernel-kabi-dw-6.12.0-238.el10.tar.xz) = 6a90be8a2d6bc112fe22d9ca4bd6bdb3770ca717907d266d11ce4f9d33565ba1bcbeb7472abd2fa8315589909a7c8e6fecfb298f17c0b3c74633ccce3b5fac15