diff --git a/kernel.spec b/kernel.spec
index f3d3b1162..8afa0c643 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -38,10 +38,10 @@
 # define buildid .local
 
 %define specversion 4.18.0
-%define pkgrelease 553.8.1.el8_10
+%define pkgrelease 553.9.1.el8_10
 
 # allow pkg_release to have configurable %%{?dist} tag
-%define specrelease 553.8.1%{?dist}
+%define specrelease 553.9.1%{?dist}
 
 %define pkg_release %{specrelease}%{?buildid}
 
@@ -2696,6 +2696,71 @@ fi
 #
 #
 %changelog
+* Fri Jun 21 2024 Denys Vlasenko <dvlasenk@redhat.com> [4.18.0-553.9.1.el8_10]
+- x86/mce: Make sure to grab mce_sysfs_mutex in set_bank() (Steve Best) [RHEL-37262] {CVE-2024-35876}
+- net/sched: flower: Fix chain template offload (Xin Long) [RHEL-31313] {CVE-2024-26669}
+- SUNRPC: fix a memleak in gss_import_v2_context (Scott Mayhew) [RHEL-35195] {CVE-2023-52653}
+- efivarfs: force RO when remounting if SetVariable is not supported (Pavel Reichl) [RHEL-26564] {CVE-2023-52463}
+- dmaengine: idxd: add a write() method for applications to submit work (Jerry Snitselaar) [RHEL-35826] {CVE-2024-21823}
+- dmaengine: idxd: add a new security check to deal with a hardware erratum (Jerry Snitselaar) [RHEL-35826] {CVE-2024-21823}
+- VFIO: Add the SPR_DSA and SPR_IAX devices to the denylist (Jerry Snitselaar) [RHEL-35826] {CVE-2024-21823}
+- quota: Fix potential NULL pointer dereference (Pavel Reichl) [RHEL-33219] {CVE-2024-26878}
+- locking/lockdep: Fix overflow in presentation of average lock-time (Čestmír Kalina) [RHEL-17678]
+- blk-cgroup: Properly propagate the iostat update up the hierarchy (Ming Lei) [RHEL-40939]
+- proc: Use new_inode not new_inode_pseudo (Ian Kent) [RHEL-40167]
+- stmmac: Clear variable when destroying workqueue (Izabela Bakollari) [RHEL-31822] {CVE-2024-26802}
+- powerpc/pseries/memhp: Fix access beyond end of drmem array (Mamatha Inamdar) [RHEL-26495] {CVE-2023-52451}
+- platform/x86: wmi: Fix opening of char device (David Arcari) [RHEL-38258] {CVE-2023-52864}
+- Revert "net/mlx5: Block entering switchdev mode with ns inconsistency" (Kamal Heib) [RHEL-36908] {CVE-2023-52658}
+- hv_netvsc: Register VF in netvsc_probe if NET_DEVICE_REGISTER missed (Cathy Avery) [RHEL-39074]
+- hv_netvsc: Fix race condition between netvsc_probe and netvsc_remove (Cathy Avery) [RHEL-39074]
+- hv_netvsc: Calculate correct ring size when PAGE_SIZE is not 4 Kbytes (Cathy Avery) [RHEL-39074]
+- hv_netvsc: remove duplicated including of slab.h (Cathy Avery) [RHEL-39074]
+- hv_netvsc: rndis_filter needs to select NLS (Cathy Avery) [RHEL-39074]
+- hv_netvsc: Mark VF as slave before exposing it to user-mode (Cathy Avery) [RHEL-39074]
+- hv_netvsc: Fix race of register_netdevice_notifier and VF register (Cathy Avery) [RHEL-39074]
+- hv_netvsc: fix race of netvsc and VF register_netdevice (Cathy Avery) [RHEL-39074]
+- hv_netvsc: fix netvsc_send_completion to avoid multiple message length checks (Cathy Avery) [RHEL-39074]
+- hv_netvsc: Allocate rx indirection table size dynamically (Cathy Avery) [RHEL-39074]
+- net: hv_netvsc: Fix a warning triggered by memcpy in rndis_filter (Cathy Avery) [RHEL-39074]
+- gfs2: Fix lru_count accounting (Andreas Gruenbacher) [RHEL-32941]
+- gfs2: Fix "Make glock lru list scanning safer" (Andreas Gruenbacher) [RHEL-32941]
+- gfs2: Fix "ignore unlock failures after withdraw" (Andreas Gruenbacher) [RHEL-32941]
+- gfs2: Don't set GLF_LOCK in gfs2_dispose_glock_lru (Andreas Gruenbacher) [RHEL-32941]
+- gfs2: Don't forget to complete delayed withdraw (Andreas Gruenbacher) [RHEL-32941]
+- gfs2: Delay withdraw from atomic context (Andreas Gruenbacher) [RHEL-32941]
+- gfs2: trivial clean up of gfs2_ail_error (Andreas Gruenbacher) [RHEL-32941]
+- ext4: fix corruption during on-line resize (Carlos Maiolino) [RHEL-36974] {CVE-2024-35807}
+- ext4: correct offset of gdb backup in non meta_bg group to update_backups (Carlos Maiolino) [RHEL-36974]
+- ext4: avoid online resizing failures due to oversized flex bg (Carlos Maiolino) [RHEL-30507] {CVE-2023-52622}
+- ext4: use time_is_before_jiffies() instead of open coding it (Carlos Maiolino) [RHEL-30507]
+- ext4: unify the type of flexbg_size to unsigned int (Carlos Maiolino) [RHEL-30507]
+- ext4: remove unnecessary check from alloc_flex_gd() (Carlos Maiolino) [RHEL-30507]
+- tracing: Do no increment trace_clock_global() by one (Jerome Marchand) [RHEL-27107] {CVE-2021-46939}
+- tracing: Restructure trace_clock_global() to never block (Jerome Marchand) [RHEL-27107] {CVE-2021-46939}
+- net/sched: act_skbmod: prevent kernel-infoleak (Xin Long) [RHEL-37220] {CVE-2024-35893}
+- tipc: Change nla_policy for bearer-related names to NLA_NUL_STRING (Xin Long) [RHEL-38307] {CVE-2023-52845}
+- redhat: remove the merge subtrees script (Derek Barbosa)
+- redhat: rhdocs: delete .get_maintainer.conf (Derek Barbosa)
+- redhat: rhdocs: Remove the rhdocs directory (Derek Barbosa)
+- dyndbg: fix old BUG_ON in >control parser (Waiman Long) [RHEL-37111] {CVE-2024-35947}
+- dyndbg: let query-modname override actual module name (Waiman Long) [RHEL-37111]
+- dyndbg: make dyndbg a known cli param (Waiman Long) [RHEL-37111]
+- lan78xx: Fix exception on link speed change (Jamie Bainbridge) [RHEL-33437]
+- net: usb: lan78xx: don't modify phy_device state concurrently (Jamie Bainbridge) [RHEL-33437]
+- efi: runtime: Fix potential overflow of soft-reserved region size (Lenny Szubowicz) [RHEL-33096] {CVE-2024-26843}
+- perf/arm-cmn: Fail DTC counter allocation correctly (Michael Petlan) [RHEL-23841]
+- perf/arm-cmn: Rework DTC counters (again) (Michael Petlan) [RHEL-23841]
+- perf/arm-cmn: Fix DTC domain detection (Michael Petlan) [RHEL-23841]
+- perf/arm-cmn: Revamp model detection (Michael Petlan) [RHEL-23841]
+- perf/arm-cmn: Fix port detection for CMN-700 (Michael Petlan) [RHEL-23841]
+- perf/arm-cmn: Move overlapping wp_combine field (Michael Petlan) [RHEL-23841]
+- Partially revert "perf/arm-cmn: Optimise DTC counter accesses" (Michael Petlan) [RHEL-23841]
+- drivers/perf: Compile with gnu99 standard (Michael Petlan) [RHEL-23841]
+- x86/fpu: Keep xfd_state in sync with MSR_IA32_XFD (Steve Best) [RHEL-36994] {CVE-2024-35801}
+- watchdog: softdog: Add options 'soft_reboot_cmd' and 'soft_active_on_boot' (Waiman Long) [RHEL-19723]
+- tipc: fix UAF in error path (Xin Long) [RHEL-34278] {CVE-2024-36886}
+
 * Fri Jun 14 2024 Denys Vlasenko <dvlasenk@redhat.com> [4.18.0-553.8.1.el8_10]
 - udf: Fix NULL pointer dereference in udf_symlink function (Pavel Reichl) [RHEL-37769] {CVE-2021-47353}
 - net: ti: fix UAF in tlan_remove_one (Jose Ignacio Tornos Martinez) [RHEL-38940] {CVE-2021-47310}
diff --git a/sources b/sources
index d41f92577..492fdba01 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
-SHA512 (linux-4.18.0-553.8.1.el8_10.tar.xz) = 7855e031bb0cf8ab76a3eb71090022af235acdf4f07c27303cf4a8da15c3cd0b10591930e3de3c7fe3b0cfbd8e616822683d9eb39ec58412a91e39891b5bcff6
-SHA512 (kernel-abi-stablelists-4.18.0-553.tar.bz2) = 907ae7b96e9f53a02ad8187904800826713900c7a433dc049bba2ec9506ba05ef77803239e6d8442a6b3b71fb632fafe3565221e4ad7a1dafd4b291702377e4b
+SHA512 (linux-4.18.0-553.9.1.el8_10.tar.xz) = f896972bd0d328c8a8f01e8de18417c65fbcb85c5cf1b291dc2cdb75bed19da61e2b2b3dcae3538329d644a687ac853543cda6a9035afba71dd4b8b18845d2f9
+SHA512 (kernel-abi-stablelists-4.18.0-553.tar.bz2) = 14fd0d823e040b8b76834ab7737b4b955015a8e8fef943f799516d5efe3eb3350333590071e8855382a28638397d87b9222fb49f240ecf42974ba39bff460ebe
 SHA512 (kernel-kabi-dw-4.18.0-553.tar.bz2) = 8a671ed3c9b7f4b25fd4e594b62bc4a26474cb705d3ed22ca376618b3c7962fc72ace1ffd02c9c3a192d9d2c449d38228809542d7f16ebad16f8127020eb2faf