diff --git a/.gitignore b/.gitignore
index 0568cc67f..c3c5adba9 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,7 +2,7 @@ SOURCES/centossecureboot201.cer
 SOURCES/centossecurebootca2.cer
 SOURCES/kernel-abi-stablelists-4.18.0-553.tar.bz2
 SOURCES/kernel-kabi-dw-4.18.0-553.tar.bz2
-SOURCES/linux-4.18.0-553.123.1.el8_10.tar.xz
+SOURCES/linux-4.18.0-553.124.1.el8_10.tar.xz
 SOURCES/redhatsecureboot302.cer
 SOURCES/redhatsecureboot303.cer
 SOURCES/redhatsecureboot501.cer
diff --git a/.kernel.metadata b/.kernel.metadata
index fef3ba560..0a47b00ab 100644
--- a/.kernel.metadata
+++ b/.kernel.metadata
@@ -1,8 +1,8 @@
 2ba40bf9138b48311e5aa1b737b7f0a8ad66066f SOURCES/centossecureboot201.cer
 bfdb3d7cffc43f579655af5155d50c08671d95e5 SOURCES/centossecurebootca2.cer
-16beeec466f9755c7ff70f7393c88320af46e2ed SOURCES/kernel-abi-stablelists-4.18.0-553.tar.bz2
+fd1739a125daaa36c88c27d65c82982ea8c72e30 SOURCES/kernel-abi-stablelists-4.18.0-553.tar.bz2
 2318474e4033305aa0461e29d5962ca0a5dc24cb SOURCES/kernel-kabi-dw-4.18.0-553.tar.bz2
-5a7ddf54de0b2233bda2448815fd1bbc324db233 SOURCES/linux-4.18.0-553.123.1.el8_10.tar.xz
+f423c7e25012fe223823503f126066d48577331b SOURCES/linux-4.18.0-553.124.1.el8_10.tar.xz
 13e5cd3f856b472fde80a4deb75f4c18dfb5b255 SOURCES/redhatsecureboot302.cer
 e89890ca0ded2f9058651cc5fa838b78db2e6cc2 SOURCES/redhatsecureboot303.cer
 ba0b760e594ff668ee72ae348adf3e49b97f75fb SOURCES/redhatsecureboot501.cer
diff --git a/SOURCES/1100-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch b/SOURCES/1100-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch
deleted file mode 100644
index 88227ab88..000000000
--- a/SOURCES/1100-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch
+++ /dev/null
@@ -1,75 +0,0 @@
-From: Andrew Lukoshko <alukoshko@almalinux.org>
-Subject: [PATCH AlmaLinux 8] xfrm: esp: avoid in-place decrypt on shared skb frags
-
-Backport of upstream commit f4c50a4034e6 ("xfrm: esp: avoid in-place
-decrypt on shared skb frags") for AlmaLinux 8 (4.18 kernel).
-
-Verified to apply with `patch -p1 -F0` (no offset, no fuzz, no rejects)
-against kernel-4.18.0-553.123.1.el8_10.
-
-ESP-in-UDP packets built from caller-owned pages (e.g. pipe pages
-attached via udp_sendpage(2) -> ip_append_page() -> skb_append_pagefrags())
-look like ordinary uncloned nonlinear skbs. ESP input then takes the
-no-COW fast path and decrypts in place over data that is not owned
-privately by the skb, which can be read or modified by an unprivileged
-process holding the pages.
-
-Tree adaptation:
-  * Upstream patches __ip_append_data() / __ip6_append_data(), the
-    MSG_SPLICE_PAGES branch added by 7da0dde68486 / 6d8192bd69bb.
-    That feature is not present in the 4.18 tree.
-  * The age-equivalent producer is ip_append_page() (called from
-    udp_sendpage). Mark frags there using SKBTX_SHARED_FRAG, which
-    is what skb_has_shared_frag() already checks on this kernel.
-  * UDPv6 has no .sendpage op in this tree, so the esp6 hunk is
-    defense-in-depth in case a later backport adds one.
-  * The esp4/esp6 receiver-side hunks are taken verbatim from
-    upstream.
-
-Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")
-Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible")
-(cherry picked from commit f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4)
-Signed-off-by: Andrew Lukoshko <alukoshko@almalinux.org>
----
- net/ipv4/esp4.c      | 3 ++-
- net/ipv4/ip_output.c | 2 ++
- net/ipv6/esp6.c      | 3 ++-
- 3 files changed, 6 insertions(+), 2 deletions(-)
-
---- a/net/ipv4/esp4.c
-+++ b/net/ipv4/esp4.c
-@@ -913,7 +913,8 @@
- 			nfrags = 1;
- 
- 			goto skip_cow;
--		} else if (!skb_has_frag_list(skb)) {
-+		} else if (!skb_has_frag_list(skb) &&
-+			   !skb_has_shared_frag(skb)) {
- 			nfrags = skb_shinfo(skb)->nr_frags;
- 			nfrags++;
- 
---- a/net/ipv4/ip_output.c
-+++ b/net/ipv4/ip_output.c
-@@ -1346,6 +1346,8 @@
- 			err = -EMSGSIZE;
- 			goto error;
- 		}
-+		if (!(flags & MSG_NO_SHARED_FRAGS))
-+			skb_shinfo(skb)->tx_flags |= SKBTX_SHARED_FRAG;
- 
- 		if (skb->ip_summed == CHECKSUM_NONE) {
- 			__wsum csum;
---- a/net/ipv6/esp6.c
-+++ b/net/ipv6/esp6.c
-@@ -971,7 +971,8 @@
- 			nfrags = 1;
- 
- 			goto skip_cow;
--		} else if (!skb_has_frag_list(skb)) {
-+		} else if (!skb_has_frag_list(skb) &&
-+			   !skb_has_shared_frag(skb)) {
- 			nfrags = skb_shinfo(skb)->nr_frags;
- 			nfrags++;
- 
---
-2.43.0
diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec
index 496b8a8aa..59ef43e54 100644
--- a/SPECS/kernel.spec
+++ b/SPECS/kernel.spec
@@ -38,11 +38,10 @@
 # define buildid .local
 
 %define specversion 4.18.0
-%define pkgrelease 553.123.2.el8_10
-%define tarfile_release 553.123.1.el8_10
+%define pkgrelease 553.124.1.el8_10
 
 # allow pkg_release to have configurable %%{?dist} tag
-%define specrelease 553.123.2%{?dist}
+%define specrelease 553.124.1%{?dist}
 
 %define pkg_release %{specrelease}%{?buildid}
 
@@ -436,7 +435,7 @@ BuildRequires: xmlto
 BuildRequires: asciidoc
 %endif
 
-Source0: linux-%{specversion}-%{tarfile_release}.tar.xz
+Source0: linux-%{specversion}-%{pkgrelease}.tar.xz
 
 Source9: x509.genkey
 
@@ -539,7 +538,6 @@ Patch2005: 0005-Bring-back-deprecated-pci-ids-to-qla2xxx-driver.patch
 Patch2006: 0006-Bring-back-deprecated-pci-ids-to-lpfc-driver.patch
 Patch2007: 0007-Bring-back-deprecated-pci-ids-to-qla4xxx-driver.patch
 Patch2008: 0008-Bring-back-deprecated-pci-ids-to-be2iscsi-driver.patch
-Patch1100: 1100-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch
 
 # END OF PATCH DEFINITIONS
 
@@ -1098,9 +1096,9 @@ ApplyOptionalPatch()
   fi
 }
 
-%setup -q -n %{name}-%{specversion}-%{tarfile_release} -c
-cp -v %{SOURCE9000} linux-%{specversion}-%{tarfile_release}/certs/rhel.pem
-mv linux-%{specversion}-%{tarfile_release} linux-%{KVERREL}
+%setup -q -n %{name}-%{specversion}-%{pkgrelease} -c
+cp -v %{SOURCE9000} linux-%{specversion}-%{pkgrelease}/certs/rhel.pem
+mv linux-%{specversion}-%{pkgrelease} linux-%{KVERREL}
 
 cd linux-%{KVERREL}
 
@@ -1117,7 +1115,6 @@ ApplyPatch 0005-Bring-back-deprecated-pci-ids-to-qla2xxx-driver.patch
 ApplyPatch 0006-Bring-back-deprecated-pci-ids-to-lpfc-driver.patch
 ApplyPatch 0007-Bring-back-deprecated-pci-ids-to-qla4xxx-driver.patch
 ApplyPatch 0008-Bring-back-deprecated-pci-ids-to-be2iscsi-driver.patch
-ApplyPatch 1100-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch
 
 # END OF PATCH APPLICATIONS
 
@@ -2716,10 +2713,7 @@ fi
 #
 #
 %changelog
-* Thu May 07 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 4.18.0-553.123.2
-- xfrm: esp: avoid in-place decrypt on shared skb frags
-
-* Tue May 05 2026 Andrei Lukoshko <alukoshko@almalinux.org> - 4.18.0-553.123.1
+* Tue May 12 2026 Andrei Lukoshko <alukoshko@almalinux.org> - 4.18.0-553.124.1
 - hpsa: bring back deprecated PCI ids #CFHack #CFHack2024
 - mptsas: bring back deprecated PCI ids #CFHack #CFHack2024
 - megaraid_sas: bring back deprecated PCI ids #CFHack #CFHack2024
@@ -2730,10 +2724,13 @@ fi
 - kernel/rh_messages.h: enable all disabled pci devices by moving to
   unmaintained
 
-* Tue May 05 2026 Eduard Abdullin <eabdullin@almalinux.org> - 4.18.0-553.123.1
+* Tue May 12 2026 Eduard Abdullin <eabdullin@almalinux.org> - 4.18.0-553.124.1
 - Use AlmaLinux OS secure boot cert
 - Debrand for AlmaLinux OS
 
+* Mon May 11 2026 Denys Vlasenko <dvlasenk@redhat.com> [4.18.0-553.124.1.el8_10]
+- xfrm: esp: avoid in-place decrypt on shared skb frags (Sabrina Dubroca) [RHEL-174586] {CVE-2026-43284}
+
 * Mon May 04 2026 Denys Vlasenko <dvlasenk@redhat.com> [4.18.0-553.123.1.el8_10]
 - crypto: algif_aead - snapshot IV for async AEAD requests (Herbert Xu) [RHEL-172187]
 - crypto: algif_aead - Fix minimum RX size check for decryption (Herbert Xu) [RHEL-172187]