diff --git a/.gitignore b/.gitignore
index 0a8bc8853..b54ead673 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,7 +1,7 @@
 fedoraimaca.x509
-kernel-abi-stablelists-6.12.0-124.13.1.el10_1.tar.xz
-kernel-kabi-dw-6.12.0-124.13.1.el10_1.tar.xz
-linux-6.12.0-124.13.1.el10_1.tar.xz
+kernel-abi-stablelists-6.12.0-124.16.1.el10_1.tar.xz
+kernel-kabi-dw-6.12.0-124.16.1.el10_1.tar.xz
+linux-6.12.0-124.16.1.el10_1.tar.xz
 nvidiagpuoot001.x509
 redhatsecureboot501.cer
 redhatsecureboot504.cer
diff --git a/Makefile.rhelver b/Makefile.rhelver
index 8e589ff8e..4d1bff452 100644
--- a/Makefile.rhelver
+++ b/Makefile.rhelver
@@ -12,7 +12,7 @@ RHEL_MINOR = 1
 #
 # Use this spot to avoid future merge conflicts.
 # Do not trim this comment.
-RHEL_RELEASE = 124.13.1
+RHEL_RELEASE = 124.16.1
 
 #
 # RHEL_REBASE_NUM
diff --git a/kernel.changelog b/kernel.changelog
index d580b1189..ca10061f6 100644
--- a/kernel.changelog
+++ b/kernel.changelog
@@ -1,3 +1,28 @@
+* Sat Nov 22 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-124.16.1.el10_1]
+- bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6} (Xin Long) [RHEL-125759]
+- mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory (CKI Backport Bot) [RHEL-119161] {CVE-2025-39883}
+Resolves: RHEL-119161, RHEL-125759
+
+* Thu Nov 20 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-124.15.1.el10_1]
+- nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm() (CKI Backport Bot) [RHEL-125623] {CVE-2025-38724}
+- wifi: mt76: free pending offchannel tx frames on wcid cleanup (Jose Ignacio Tornos Martinez) [RHEL-123070]
+- wifi: mt76: do not add non-sta wcid entries to the poll list (Jose Ignacio Tornos Martinez) [RHEL-123070]
+- wifi: mt76: fix linked list corruption (Jose Ignacio Tornos Martinez) [RHEL-123070] {CVE-2025-39918}
+Resolves: RHEL-123070, RHEL-125623
+
+* Wed Nov 19 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-124.14.1.el10_1]
+- ublk: make sure ubq->canceling is set when queue is frozen (Ming Lei) [RHEL-99436] {CVE-2025-22068}
+- e1000e: fix heap overflow in e1000_set_eeprom (Corinna Vinschen) [RHEL-123127] {CVE-2025-39898}
+- i40e: add mask to apply valid bits for itr_idx (Michal Schmidt) [RHEL-123811]
+- i40e: add max boundary check for VF filters (Michal Schmidt) [RHEL-123811] {CVE-2025-39968}
+- i40e: fix validation of VF state in get resources (Michal Schmidt) [RHEL-123811] {CVE-2025-39969}
+- i40e: fix input validation logic for action_meta (Michal Schmidt) [RHEL-123811] {CVE-2025-39970}
+- i40e: fix idx validation in config queues msg (Michal Schmidt) [RHEL-123811] {CVE-2025-39971}
+- i40e: fix idx validation in i40e_validate_queue_map (Michal Schmidt) [RHEL-123811] {CVE-2025-39972}
+- i40e: add validation for ring_len param (Michal Schmidt) [RHEL-123811] {CVE-2025-39973}
+- nvme-multipath: Skip nr_active increments in RETRY disposition (Ewan D. Milne) [RHEL-123689]
+Resolves: RHEL-123127, RHEL-123689, RHEL-123811, RHEL-99436
+
 * Thu Nov 13 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-124.13.1.el10_1]
 - NFSv4: handle ERR_GRACE on delegation recalls (Olga Kornievskaia) [RHEL-127623]
 - nfsd: nfserr_jukebox in nlm_fopen should lead to a retry (Olga Kornievskaia) [RHEL-127623]
diff --git a/kernel.spec b/kernel.spec
index 29e2b0ce6..014dde0fa 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -176,15 +176,15 @@ Summary: The Linux kernel
 %define specrpmversion 6.12.0
 %define specversion 6.12.0
 %define patchversion 6.12
-%define pkgrelease 124.13.1
+%define pkgrelease 124.16.1
 %define kversion 6
-%define tarfile_release 6.12.0-124.13.1.el10_1
+%define tarfile_release 6.12.0-124.16.1.el10_1
 # This is needed to do merge window version magic
 %define patchlevel 12
 # This allows pkg_release to have configurable %%{?dist} tag
-%define specrelease 124.13.1%{?buildid}%{?dist}
+%define specrelease 124.16.1%{?buildid}%{?dist}
 # This defines the kabi tarball version
-%define kabiversion 6.12.0-124.13.1.el10_1
+%define kabiversion 6.12.0-124.16.1.el10_1
 
 # If this variable is set to 1, a bpf selftests build failure will cause a
 # fatal kernel package build error
@@ -4389,14 +4389,14 @@ fi\
 #
 #
 %changelog
-* Thu Dec 04 2025 Eduard Abdullin <eabdullin@almalinux.org> - 6.12.0-124.13.1
+* Mon Dec 08 2025 Eduard Abdullin <eabdullin@almalinux.org> - 6.12.0-124.16.1
 - Debrand for AlmaLinux OS
 - Use AlmaLinux OS secure boot cert
 
-* Thu Dec 04 2025 Neal Gompa <ngompa@almalinux.org> - 6.12.0-124.13.1
+* Mon Dec 08 2025 Neal Gompa <ngompa@almalinux.org> - 6.12.0-124.16.1
 - Enable Btrfs support for all kernel variants
 
-* Thu Dec 04 2025 Andrew Lukoshko <alukoshko@almalinux.org> - 6.12.0-124.13.1
+* Mon Dec 08 2025 Andrew Lukoshko <alukoshko@almalinux.org> - 6.12.0-124.16.1
 - hpsa: bring back deprecated PCI ids #CFHack #CFHack2024
 - mptsas: bring back deprecated PCI ids #CFHack #CFHack2024
 - megaraid_sas: bring back deprecated PCI ids #CFHack #CFHack2024
@@ -4407,6 +4407,28 @@ fi\
 - kernel/rh_messages.h: enable all disabled pci devices by moving to
   unmaintained
 
+* Sat Nov 22 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-124.16.1.el10_1]
+- bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6} (Xin Long) [RHEL-125759]
+- mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory (CKI Backport Bot) [RHEL-119161] {CVE-2025-39883}
+
+* Thu Nov 20 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-124.15.1.el10_1]
+- nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm() (CKI Backport Bot) [RHEL-125623] {CVE-2025-38724}
+- wifi: mt76: free pending offchannel tx frames on wcid cleanup (Jose Ignacio Tornos Martinez) [RHEL-123070]
+- wifi: mt76: do not add non-sta wcid entries to the poll list (Jose Ignacio Tornos Martinez) [RHEL-123070]
+- wifi: mt76: fix linked list corruption (Jose Ignacio Tornos Martinez) [RHEL-123070] {CVE-2025-39918}
+
+* Wed Nov 19 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-124.14.1.el10_1]
+- ublk: make sure ubq->canceling is set when queue is frozen (Ming Lei) [RHEL-99436] {CVE-2025-22068}
+- e1000e: fix heap overflow in e1000_set_eeprom (Corinna Vinschen) [RHEL-123127] {CVE-2025-39898}
+- i40e: add mask to apply valid bits for itr_idx (Michal Schmidt) [RHEL-123811]
+- i40e: add max boundary check for VF filters (Michal Schmidt) [RHEL-123811] {CVE-2025-39968}
+- i40e: fix validation of VF state in get resources (Michal Schmidt) [RHEL-123811] {CVE-2025-39969}
+- i40e: fix input validation logic for action_meta (Michal Schmidt) [RHEL-123811] {CVE-2025-39970}
+- i40e: fix idx validation in config queues msg (Michal Schmidt) [RHEL-123811] {CVE-2025-39971}
+- i40e: fix idx validation in i40e_validate_queue_map (Michal Schmidt) [RHEL-123811] {CVE-2025-39972}
+- i40e: add validation for ring_len param (Michal Schmidt) [RHEL-123811] {CVE-2025-39973}
+- nvme-multipath: Skip nr_active increments in RETRY disposition (Ewan D. Milne) [RHEL-123689]
+
 * Thu Nov 13 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-124.13.1.el10_1]
 - NFSv4: handle ERR_GRACE on delegation recalls (Olga Kornievskaia) [RHEL-127623]
 - nfsd: nfserr_jukebox in nlm_fopen should lead to a retry (Olga Kornievskaia) [RHEL-127623]
diff --git a/sources b/sources
index b9f84f4b4..4393687e0 100644
--- a/sources
+++ b/sources
@@ -1,7 +1,7 @@
 SHA512 (fedoraimaca.x509) = e04809394f4472c17e86d7024dee34f03fb68e82a85502fd5b00535202c72e57626a8376b2cf991b7e1e46404aa5ab8d189ebf320e0dd37d49e7efbc925c7a2e
-SHA512 (kernel-abi-stablelists-6.12.0-124.13.1.el10_1.tar.xz) = b2c34f15b031eed04293dcd89835e0746f2bbeeceda04b586208400a7bab7d064d4e20926b6942d2a69a6bb632f96a2a21a2cd4b8748aa7a960df463cdf5b5c4
-SHA512 (kernel-kabi-dw-6.12.0-124.13.1.el10_1.tar.xz) = b38176c673e473a06debdef9941242f2017d0503a08e74d7d8608f0dab5b6fe6b577d4009db5d6b5e8425e4aa55c961b01eb8fb72409729c8a578b7381e15b92
-SHA512 (linux-6.12.0-124.13.1.el10_1.tar.xz) = 47bc53b098c71cc54de781f01213c1c3b35c331f4b3da678ff7377938a761ea124eb980748f16df83b10bc083307ca405ac27d48924da269b1090a80b56d8958
+SHA512 (kernel-abi-stablelists-6.12.0-124.16.1.el10_1.tar.xz) = 54e465b309293c077574d471cd8d90f940acb310259487fa5eb5fd17805db402d38b5bf807d5a63b663c4db7425aec1009cc322c1114ef8f75073305b31b529a
+SHA512 (kernel-kabi-dw-6.12.0-124.16.1.el10_1.tar.xz) = 3a0f5bdc5d4da217879ad9130dfe2820a120d3e6c80581e50db08f5213a5de6ee475be126bdac827d76afafcb8ff4d0648539d0a5bfba5a098dbeb8825bf265f
+SHA512 (linux-6.12.0-124.16.1.el10_1.tar.xz) = c960227a79319864f9934f28072dcfee635b50e7e0a85c634e117ff5772d99fc44a0f4a872bf97d0f37c6b60fb2ca71ad662e12c60b93bf6c0b9142f29d9a8e6
 SHA512 (nvidiagpuoot001.x509) = b42f836e1cfa07890cb6ca13de9c3950e306c9ec7686c4c09f050bb68869f5d82962b2cd5f3aa0eb7a0f3a3ae54e9c480eafbac5df53aa92c295ff511a8c59fe
 SHA512 (redhatsecureboot501.cer) = eb2c2d342680d4c3453d3e4f30abdd1f6b0e98292e1be0410d0163afd01552a863b70ffaabeecd6e3981cd4d167198091a837c7d70f96a3a06de2d28b3355308
 SHA512 (redhatsecureboot504.cer) = d6e9b54c378769bb934ead996c1003b495bde48a17d02c8880124f36a529ef799f1e3a97202f9536c71c0d2cefe20a3532053ab73ce798ba550934eedce23ff9