diff --git a/.gitignore b/.gitignore
index 4ce832314..0b4a4bae8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,6 +1,6 @@
-SOURCES/kernel-abi-stablelists-5.14.0-611.20.1.el9_7.tar.bz2
-SOURCES/kernel-kabi-dw-5.14.0-611.20.1.el9_7.tar.bz2
-SOURCES/linux-5.14.0-611.20.1.el9_7.tar.xz
+SOURCES/kernel-abi-stablelists-5.14.0-611.24.1.el9_7.tar.bz2
+SOURCES/kernel-kabi-dw-5.14.0-611.24.1.el9_7.tar.bz2
+SOURCES/linux-5.14.0-611.24.1.el9_7.tar.xz
 SOURCES/nvidiagpuoot001.x509
 SOURCES/olima1.x509
 SOURCES/olimaca1.x509
diff --git a/.kernel.metadata b/.kernel.metadata
index 0b4114be9..8eb35240d 100644
--- a/.kernel.metadata
+++ b/.kernel.metadata
@@ -1,6 +1,6 @@
-1e30289092b81ba717ae5e7f571e1e45bf6c9fe8 SOURCES/kernel-abi-stablelists-5.14.0-611.20.1.el9_7.tar.bz2
-070fdef7e39adf3321eb25910d3da5b3eccb36ec SOURCES/kernel-kabi-dw-5.14.0-611.20.1.el9_7.tar.bz2
-650b2127d6afd5fbed75f4c69c1dff313a99e32f SOURCES/linux-5.14.0-611.20.1.el9_7.tar.xz
+9e58f9a6113ab01923ba02acaff63b7de1d8ccf0 SOURCES/kernel-abi-stablelists-5.14.0-611.24.1.el9_7.tar.bz2
+c3610b2f194974a2a575ec35b0c17336dba19542 SOURCES/kernel-kabi-dw-5.14.0-611.24.1.el9_7.tar.bz2
+1568c0459f000363b10345c6dfa4af7e700b026b SOURCES/linux-5.14.0-611.24.1.el9_7.tar.xz
 4fff8080e88afffc06d8ef5004db8d53bb21237f SOURCES/nvidiagpuoot001.x509
 706ae01dd14efa38f0f565a3706acac19c78df02 SOURCES/olima1.x509
 6e3f0d61414c0b50f48dc2d4c3b3cd024e1c3a43 SOURCES/olimaca1.x509
diff --git a/SOURCES/Makefile.rhelver b/SOURCES/Makefile.rhelver
index dc11f32df..6f3c7197b 100644
--- a/SOURCES/Makefile.rhelver
+++ b/SOURCES/Makefile.rhelver
@@ -12,7 +12,7 @@ RHEL_MINOR = 7
 #
 # Use this spot to avoid future merge conflicts.
 # Do not trim this comment.
-RHEL_RELEASE = 611.20.1
+RHEL_RELEASE = 611.24.1
 
 #
 # ZSTREAM
diff --git a/SOURCES/kernel.changelog b/SOURCES/kernel.changelog
index df8b20ef9..8a48f0903 100644
--- a/SOURCES/kernel.changelog
+++ b/SOURCES/kernel.changelog
@@ -1,3 +1,65 @@
+* Sat Jan 10 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-611.24.1.el9_7]
+- gitlab-ci: use rhel9.7 builder image (Michael Hofmann)
+- smb: client: let recv_done verify data_offset, data_length and remaining_data_length (Paulo Alcantara) [RHEL-131388] {CVE-2025-39933}
+- tty: n_tty: Fix buffer offsets when lookahead is used (Radostin Stoyanov) [RHEL-130039]
+Resolves: RHEL-130039, RHEL-131388
+
+* Thu Jan 08 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-611.23.1.el9_7]
+- book3s64/hash: Remove kfence support temporarily (Mamatha Inamdar) [RHEL-135574]
+- xfs: rework datasync tracking and execution (CKI Backport Bot) [RHEL-135714]
+- xfs: rearrange code in xfs_inode_item_precommit (CKI Backport Bot) [RHEL-135714]
+- inetpeer: do not get a refcount in inet_getpeer() (Guillaume Nault) [RHEL-116121]
+- inetpeer: update inetpeer timestamp in inet_getpeer() (Guillaume Nault) [RHEL-116121]
+- inetpeer: remove create argument of inet_getpeer() (Guillaume Nault) [RHEL-116121]
+- inetpeer: remove create argument of inet_getpeer_v[46]() (Guillaume Nault) [RHEL-116121]
+- ipv4/route: avoid unused-but-set-variable warning (Guillaume Nault) [RHEL-116121]
+- arm64: errata: Expand speculative SSBS workaround for Cortex-A720AE (Waiman Long) [RHEL-130734]
+- arm64: cputype: Add Cortex-A720AE definitions (Waiman Long) [RHEL-130734]
+- arm64: errata: Add missing sentinels to Spectre-BHB MIDR arrays (Waiman Long) [RHEL-130734]
+- arm64: Add support for HIP09 Spectre-BHB mitigation (Waiman Long) [RHEL-130734]
+- arm64: errata: Add newer ARM cores to the spectre_bhb_loop_affected() lists (Waiman Long) [RHEL-130734]
+- arm64: cputype: Add MIDR_CORTEX_A76AE (Waiman Long) [RHEL-130734]
+- arm64: errata: Add KRYO 2XX/3XX/4XX silver cores to Spectre BHB safe list (Waiman Long) [RHEL-130734]
+- arm64: Subscribe Microsoft Azure Cobalt 100 to erratum 3194386 (Waiman Long) [RHEL-130734]
+- arm64: errata: Expand speculative SSBS workaround once more (Waiman Long) [RHEL-130734]
+- arm64: errata: Expand speculative SSBS workaround (again) (Waiman Long) [RHEL-130734]
+- tools headers arm64: Sync arm64's cputype.h with the kernel sources (Waiman Long) [RHEL-130734]
+- arm64: cputype: Add Neoverse-N3 definitions (Waiman Long) [RHEL-130734]
+- arm64: cputype: Add Cortex-A725 definitions (Waiman Long) [RHEL-130734]
+- arm64: cputype: Add Cortex-X1C definitions (Waiman Long) [RHEL-130734]
+- drm/xe: Make dma-fences compliant with the safe access rules (Mika Penttilä) [RHEL-122263] {CVE-2025-38703}
+Resolves: RHEL-116121, RHEL-122263, RHEL-130734, RHEL-135574, RHEL-135714
+
+* Wed Jan 07 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-611.22.1.el9_7]
+- libceph: fix potential use-after-free in have_mon_and_osd_map() (CKI Backport Bot) [RHEL-137400] {CVE-2025-68285}
+Resolves: RHEL-137400
+
+* Thu Jan 01 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-611.21.1.el9_7]
+- usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths (CKI Backport Bot) [RHEL-137147] {CVE-2025-68287}
+- redhat: conflict with unsupported shim on x86/aarch64 (9.7.z) (Li Tian) [RHEL-135775]
+- drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE (CKI Backport Bot) [RHEL-134428] {CVE-2025-40277}
+- perf tools: Don't set attr.exclude_guest by default (Michael Petlan) [RHEL-131726]
+- smb: client: fix refcount leak in smb2_set_path_attr (Paulo Alcantara) [RHEL-127422]
+- smb: client: fix potential UAF in smb2_close_cached_fid() (Paulo Alcantara) [RHEL-127422]
+- smb: client: fix potential cfid UAF in smb2_query_info_compound (Paulo Alcantara) [RHEL-127422]
+- smb: client: Fix refcount leak for cifs_sb_tlink (Paulo Alcantara) [RHEL-127422]
+- cifs: parse_dfs_referrals: prevent oob on malformed input (Paulo Alcantara) [RHEL-127422]
+- smb: client: remove cfids_invalidation_worker (Paulo Alcantara) [RHEL-127422]
+- smb client: fix bug with newly created file in cached dir (Paulo Alcantara) [RHEL-127422]
+- smb: client: short-circuit negative lookups when parent dir is fully cached (Paulo Alcantara) [RHEL-127422]
+- smb: client: short-circuit in open_cached_dir_by_dentry() if !dentry (Paulo Alcantara) [RHEL-127422]
+- smb: client: remove pointless cfid->has_lease check (Paulo Alcantara) [RHEL-127422]
+- smb: client: remove unused fid_lock (Paulo Alcantara) [RHEL-127422]
+- smb: client: update cfid->last_access_time in open_cached_dir_by_dentry() (Paulo Alcantara) [RHEL-127422]
+- smb: client: ensure open_cached_dir_by_dentry() only returns valid cfid (Paulo Alcantara) [RHEL-127422]
+- smb: client: account smb directory cache usage and per-tcon totals (Paulo Alcantara) [RHEL-127422]
+- smb: client: add drop_dir_cache module parameter to invalidate cached dirents (Paulo Alcantara) [RHEL-127422]
+- smb: client: show lease state as R/H/W (or NONE) in open_files (Paulo Alcantara) [RHEL-127422]
+- smb: client: show negotiated cipher in DebugData (Paulo Alcantara) [RHEL-127422]
+- smb: client: add new tracepoint to trace lease break notification (Paulo Alcantara) [RHEL-127422]
+- smb: client: Fix NULL pointer dereference in cifs_debug_dirs_proc_show() (Paulo Alcantara) [RHEL-127422]
+Resolves: RHEL-127422, RHEL-131726, RHEL-134428, RHEL-135775, RHEL-137147
+
 * Sat Dec 20 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-611.20.1.el9_7]
 - HID: multitouch: fix slab out-of-bounds access in mt_report_fixup() (CKI Backport Bot) [RHEL-124607] {CVE-2025-39806}
 - sctp: avoid NULL dereference when chunk data buffer is missing (CKI Backport Bot) [RHEL-134001] {CVE-2025-40240}
diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec
index 489e784ce..4454bba63 100644
--- a/SPECS/kernel.spec
+++ b/SPECS/kernel.spec
@@ -165,15 +165,15 @@ Summary: The Linux kernel
 # define buildid .local
 %define specversion 5.14.0
 %define patchversion 5.14
-%define pkgrelease 611.20.1
+%define pkgrelease 611.24.1
 %define kversion 5
-%define tarfile_release 5.14.0-611.20.1.el9_7
+%define tarfile_release 5.14.0-611.24.1.el9_7
 # This is needed to do merge window version magic
 %define patchlevel 14
 # This allows pkg_release to have configurable %%{?dist} tag
-%define specrelease 611.20.1%{?buildid}%{?dist}
+%define specrelease 611.24.1%{?buildid}%{?dist}
 # This defines the kabi tarball version
-%define kabiversion 5.14.0-611.20.1.el9_7
+%define kabiversion 5.14.0-611.24.1.el9_7
 
 #
 # End of genspec.sh variables
@@ -984,6 +984,9 @@ Recommends: linux-firmware\
 Requires(preun): systemd >= 200\
 Conflicts: xfsprogs < 4.3.0-1\
 Conflicts: xorg-x11-drv-vmmouse < 13.0.99\
+%ifarch x86_64 aarch64\
+Conflicts: shim < 15.8-1\
+%endif\
 %{expand:%%{?kernel%{?1:_%{1}}_conflicts:Conflicts: %%{kernel%{?1:_%{1}}_conflicts}}}\
 %{expand:%%{?kernel%{?1:_%{1}}_obsoletes:Obsoletes: %%{kernel%{?1:_%{1}}_obsoletes}}}\
 %{expand:%%{?kernel%{?1:_%{1}}_provides:Provides: %%{kernel%{?1:_%{1}}_provides}}}\
@@ -3768,7 +3771,7 @@ fi
 #
 #
 %changelog
-* Wed Jan 14 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 5.14.0-611.20.1
+* Thu Jan 22 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 5.14.0-611.24.1
 - hpsa: bring back deprecated PCI ids #CFHack #CFHack2024
 - mptsas: bring back deprecated PCI ids #CFHack #CFHack2024
 - megaraid_sas: bring back deprecated PCI ids #CFHack #CFHack2024
@@ -3779,11 +3782,69 @@ fi
 - kernel/rh_messages.h: enable all disabled pci devices by moving to
   unmaintained
 
-* Wed Jan 14 2026 Eduard Abdullin <eabdullin@almalinux.org> - 5.14.0-611.20.1
+* Thu Jan 22 2026 Eduard Abdullin <eabdullin@almalinux.org> - 5.14.0-611.24.1
 - Use AlmaLinux OS secure boot cert
 - Debrand for AlmaLinux OS
 - Add KVM support for ppc64le
 
+* Sat Jan 10 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-611.24.1.el9_7]
+- gitlab-ci: use rhel9.7 builder image (Michael Hofmann)
+- smb: client: let recv_done verify data_offset, data_length and remaining_data_length (Paulo Alcantara) [RHEL-131388] {CVE-2025-39933}
+- tty: n_tty: Fix buffer offsets when lookahead is used (Radostin Stoyanov) [RHEL-130039]
+
+* Thu Jan 08 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-611.23.1.el9_7]
+- book3s64/hash: Remove kfence support temporarily (Mamatha Inamdar) [RHEL-135574]
+- xfs: rework datasync tracking and execution (CKI Backport Bot) [RHEL-135714]
+- xfs: rearrange code in xfs_inode_item_precommit (CKI Backport Bot) [RHEL-135714]
+- inetpeer: do not get a refcount in inet_getpeer() (Guillaume Nault) [RHEL-116121]
+- inetpeer: update inetpeer timestamp in inet_getpeer() (Guillaume Nault) [RHEL-116121]
+- inetpeer: remove create argument of inet_getpeer() (Guillaume Nault) [RHEL-116121]
+- inetpeer: remove create argument of inet_getpeer_v[46]() (Guillaume Nault) [RHEL-116121]
+- ipv4/route: avoid unused-but-set-variable warning (Guillaume Nault) [RHEL-116121]
+- arm64: errata: Expand speculative SSBS workaround for Cortex-A720AE (Waiman Long) [RHEL-130734]
+- arm64: cputype: Add Cortex-A720AE definitions (Waiman Long) [RHEL-130734]
+- arm64: errata: Add missing sentinels to Spectre-BHB MIDR arrays (Waiman Long) [RHEL-130734]
+- arm64: Add support for HIP09 Spectre-BHB mitigation (Waiman Long) [RHEL-130734]
+- arm64: errata: Add newer ARM cores to the spectre_bhb_loop_affected() lists (Waiman Long) [RHEL-130734]
+- arm64: cputype: Add MIDR_CORTEX_A76AE (Waiman Long) [RHEL-130734]
+- arm64: errata: Add KRYO 2XX/3XX/4XX silver cores to Spectre BHB safe list (Waiman Long) [RHEL-130734]
+- arm64: Subscribe Microsoft Azure Cobalt 100 to erratum 3194386 (Waiman Long) [RHEL-130734]
+- arm64: errata: Expand speculative SSBS workaround once more (Waiman Long) [RHEL-130734]
+- arm64: errata: Expand speculative SSBS workaround (again) (Waiman Long) [RHEL-130734]
+- tools headers arm64: Sync arm64's cputype.h with the kernel sources (Waiman Long) [RHEL-130734]
+- arm64: cputype: Add Neoverse-N3 definitions (Waiman Long) [RHEL-130734]
+- arm64: cputype: Add Cortex-A725 definitions (Waiman Long) [RHEL-130734]
+- arm64: cputype: Add Cortex-X1C definitions (Waiman Long) [RHEL-130734]
+- drm/xe: Make dma-fences compliant with the safe access rules (Mika Penttilä) [RHEL-122263] {CVE-2025-38703}
+
+* Wed Jan 07 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-611.22.1.el9_7]
+- libceph: fix potential use-after-free in have_mon_and_osd_map() (CKI Backport Bot) [RHEL-137400] {CVE-2025-68285}
+
+* Thu Jan 01 2026 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-611.21.1.el9_7]
+- usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths (CKI Backport Bot) [RHEL-137147] {CVE-2025-68287}
+- redhat: conflict with unsupported shim on x86/aarch64 (9.7.z) (Li Tian) [RHEL-135775]
+- drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE (CKI Backport Bot) [RHEL-134428] {CVE-2025-40277}
+- perf tools: Don't set attr.exclude_guest by default (Michael Petlan) [RHEL-131726]
+- smb: client: fix refcount leak in smb2_set_path_attr (Paulo Alcantara) [RHEL-127422]
+- smb: client: fix potential UAF in smb2_close_cached_fid() (Paulo Alcantara) [RHEL-127422]
+- smb: client: fix potential cfid UAF in smb2_query_info_compound (Paulo Alcantara) [RHEL-127422]
+- smb: client: Fix refcount leak for cifs_sb_tlink (Paulo Alcantara) [RHEL-127422]
+- cifs: parse_dfs_referrals: prevent oob on malformed input (Paulo Alcantara) [RHEL-127422]
+- smb: client: remove cfids_invalidation_worker (Paulo Alcantara) [RHEL-127422]
+- smb client: fix bug with newly created file in cached dir (Paulo Alcantara) [RHEL-127422]
+- smb: client: short-circuit negative lookups when parent dir is fully cached (Paulo Alcantara) [RHEL-127422]
+- smb: client: short-circuit in open_cached_dir_by_dentry() if !dentry (Paulo Alcantara) [RHEL-127422]
+- smb: client: remove pointless cfid->has_lease check (Paulo Alcantara) [RHEL-127422]
+- smb: client: remove unused fid_lock (Paulo Alcantara) [RHEL-127422]
+- smb: client: update cfid->last_access_time in open_cached_dir_by_dentry() (Paulo Alcantara) [RHEL-127422]
+- smb: client: ensure open_cached_dir_by_dentry() only returns valid cfid (Paulo Alcantara) [RHEL-127422]
+- smb: client: account smb directory cache usage and per-tcon totals (Paulo Alcantara) [RHEL-127422]
+- smb: client: add drop_dir_cache module parameter to invalidate cached dirents (Paulo Alcantara) [RHEL-127422]
+- smb: client: show lease state as R/H/W (or NONE) in open_files (Paulo Alcantara) [RHEL-127422]
+- smb: client: show negotiated cipher in DebugData (Paulo Alcantara) [RHEL-127422]
+- smb: client: add new tracepoint to trace lease break notification (Paulo Alcantara) [RHEL-127422]
+- smb: client: Fix NULL pointer dereference in cifs_debug_dirs_proc_show() (Paulo Alcantara) [RHEL-127422]
+
 * Sat Dec 20 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-611.20.1.el9_7]
 - HID: multitouch: fix slab out-of-bounds access in mt_report_fixup() (CKI Backport Bot) [RHEL-124607] {CVE-2025-39806}
 - sctp: avoid NULL dereference when chunk data buffer is missing (CKI Backport Bot) [RHEL-134001] {CVE-2025-40240}