diff --git a/SOURCES/CVE-2024-1086.patch b/SOURCES/CVE-2024-1086.patch
new file mode 100644
index 0000000..cb0bbed
--- /dev/null
+++ b/SOURCES/CVE-2024-1086.patch
@@ -0,0 +1,34 @@
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index c52a1dd1b..3ff44747e 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -8583,16 +8583,10 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
+ 	data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
+ 
+ 	switch (data->verdict.code) {
+-	default:
+-		switch (data->verdict.code & NF_VERDICT_MASK) {
+-		case NF_ACCEPT:
+-		case NF_DROP:
+-		case NF_QUEUE:
+-			break;
+-		default:
+-			return -EINVAL;
+-		}
+-		/* fall through */
++	case NF_ACCEPT:
++	case NF_DROP:
++	case NF_QUEUE:
++		break;
+ 	case NFT_CONTINUE:
+ 	case NFT_BREAK:
+ 	case NFT_RETURN:
+@@ -8611,6 +8605,8 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
+ 		chain->use++;
+ 		data->verdict.chain = chain;
+ 		break;
++	default:
++		return -EINVAL;
+ 	}
+ 
+ 	desc->len = sizeof(data->verdict);
diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec
index c31b0c2..4d2de46 100644
--- a/SPECS/kernel.spec
+++ b/SPECS/kernel.spec
@@ -38,10 +38,11 @@
 # define buildid .local
 
 %define specversion 4.18.0
-%define pkgrelease 513.18.1.el8_9
+%define pkgrelease 513.18.2.el8_9
 
 # allow pkg_release to have configurable %%{?dist} tag
-%define specrelease 513.18.1%{?dist}
+# alma patched to 513.18.2 but still using 513.18.1 sources plus patch file
+%define specrelease 513.18.2%{?dist}
 
 %define pkg_release %{specrelease}%{?buildid}
 
@@ -526,6 +527,7 @@ Patch999999: linux-kernel-test.patch
 
 Patch1000: debrand-single-cpu.patch
 Patch1002: debrand-rh-i686-cpu.patch
+Patch1003: CVE-2024-1086.patch
 
 Patch1100: 1100-KVM-x86-mmu-Fix-an-sign-extension-bug-with-mmu_seq-t.patch
 
@@ -1092,6 +1094,8 @@ mv linux-%{specversion}-%{pkgrelease} linux-%{KVERREL}
 
 cd linux-%{KVERREL}
 
+ApplyPatch CVE-2024-1086.patch
+
 ApplyOptionalPatch debrand-single-cpu.patch
 ApplyOptionalPatch debrand-rh-i686-cpu.patch
 # Already applied in the source tarball
@@ -2692,6 +2696,9 @@ fi
 #
 #
 %changelog
+* Fri Mar 29 2024 Jonathan Wright <jonathan@almalinux.org> [4.18.0-513.18.2.el8_9]
+- netfilter: nf_tables: reject QUEUE/DROP verdict parameters {CVE-2024-1086}
+
 * Thu Feb 01 2024 Patrick Talbert <ptalbert@redhat.com> [4.18.0-513.18.1.el8_9]
 - net: tls, update curr on splice as well (Sabrina Dubroca) [RHEL-22091 RHEL-19065] {CVE-2024-0646}
 - smb: client: fix potential OOB in smb2_dump_detail() (Scott Mayhew) [RHEL-21672 RHEL-19144] {CVE-2023-6610}