diff --git a/1103-net-skbuff-propagate-shared-frag-marker.patch b/1103-net-skbuff-propagate-shared-frag-marker.patch
index cbd4e37d2..a92948663 100644
--- a/1103-net-skbuff-propagate-shared-frag-marker.patch
+++ b/1103-net-skbuff-propagate-shared-frag-marker.patch
@@ -1,19 +1,25 @@
-From: Eduard Abdullin <eabdullin@almalinux.org>
+From: Andrew Lukoshko <alukoshko@almalinux.org>
 Subject: [PATCH AlmaLinux 10] net: skbuff: propagate shared-frag marker through frag-transfer helpers
 
-Backport of upstream v3 patch posted at
-https://lore.kernel.org/all/agW4vC0r8QOUKtRT@v4bel/
+Backport of upstream v5 patch posted at
+https://lore.kernel.org/all/ageeJfJHwgzmKXbh@v4bel/
 (sibling to upstream commit f4c50a4034e6 "xfrm: esp: avoid in-place
-decrypt on shared skb frags", already part of 6.12.0-124.56.1 via the
-c10s import).
+decrypt on shared skb frags").
 
-Three frag-transfer helpers (__pskb_copy_fclone(), skb_try_coalesce(),
-and skb_shift()) and the GRO accumulator helpers (skb_gro_receive()
-and skb_gro_receive_list()) fail to propagate the SKBFL_SHARED_FRAG
-bit in skb_shinfo()->flags when moving frag descriptors from source
-to destination.  As a result, the destination skb keeps a reference
-to the same externally-owned or page-cache-backed pages while
-reporting skb_has_shared_frag() as false.
+Three frag-transfer helpers in net/core/skbuff.c
+(__pskb_copy_fclone(), skb_try_coalesce(), skb_shift()) and the two
+GRO accumulator helpers in net/core/gro.c (skb_gro_receive() and
+skb_gro_receive_list()) fail to propagate the SKBFL_SHARED_FRAG bit
+in skb_shinfo()->flags when moving frag descriptors from source to
+destination.  In addition, skb_segment() folds only head_skb's flag
+into nskb on the per-iteration flag merge, and the inner switch that
+rebinds frag_skb to list_skb on head_skb-frags exhaustion does not
+fold the new frag_skb's flag into nskb.  Finally,
+tcp_clone_payload() builds an MTU probe skb by moving frag
+descriptors from sk_write_queue skbs into a fresh nskb without
+propagating the marker.  As a result, the destination skb keeps a
+reference to the same externally-owned or page-cache-backed pages
+while reporting skb_has_shared_frag() as false.
 
 The mismatch is harmful in any in-place writer that uses
 skb_has_shared_frag() to decide whether shared pages must be detoured
@@ -39,20 +45,75 @@ skb_segment() reads only skb_shinfo(p)->flags, and skb_segment_list()
 reuses each sub-skb's shinfo as the nskb -- both p and lp must carry
 the marker.
 
+skb_try_coalesce() hunk: upstream v5 drops the v3/v4 skb_try_coalesce()
+change because commit f84eca581739 ("net: account for SKBFL_SHARED_FRAG
+in skb_split() and skb_try_coalesce()") covers that site there.  Only
+the skb_split() half of f84eca581739 is currently backported in 6.12,
+so the skb_try_coalesce() hunk is retained here to close the same gap.
+
 Fixes: cef401de7be8 ("net: fix possible wrong checksum generation")
 Fixes: f4c50a4034e6 ("xfrm: esp: avoid in-place decrypt on shared skb frags")
 Reported-by: Sultan Alsawaf <sultan@kerneltoast.com>
 Reported-by: William Bowling <vakzz@zellic.io>
 Reported-by: Hyunwoo Kim <imv4bel@gmail.com>
-Signed-off-by: Eduard Abdullin <eabdullin@almalinux.org>
+Signed-off-by: Andrew Lukoshko <alukoshko@almalinux.org>
 ---
- net/core/gro.c    | 4 ++++
- net/core/skbuff.c | 5 +++++
- 2 files changed, 9 insertions(+)
+ net/core/gro.c        |  4 ++++
+ net/core/skbuff.c     | 14 +++++++++++++-
+ net/ipv4/tcp_output.c |  1 +
+ 3 files changed, 18 insertions(+), 1 deletion(-)
 
---- a/net/core/gro.c
-+++ b/net/core/gro.c
-@@ -213,10 +213,12 @@ int skb_gro_receive(struct sk_buff *p, struct sk_buff *skb)
+--- a/net/core/skbuff.c	2026-05-28 13:12:16.410047140 +0200
++++ b/net/core/skbuff.c	2026-05-28 13:17:15.081411917 +0200
+@@ -2123,6 +2123,7 @@
+ 			skb_frag_ref(skb, i);
+ 		}
+ 		skb_shinfo(n)->nr_frags = i;
++		skb_shinfo(n)->flags |= skb_shinfo(skb)->flags & SKBFL_SHARED_FRAG;
+ 	}
+ 
+ 	if (skb_has_frag_list(skb)) {
+@@ -4198,6 +4199,8 @@
+ 	tgt->ip_summed = CHECKSUM_PARTIAL;
+ 	skb->ip_summed = CHECKSUM_PARTIAL;
+ 
++	skb_shinfo(tgt)->flags |= skb_shinfo(skb)->flags & SKBFL_SHARED_FRAG;
++
+ 	skb_len_add(skb, -shiftlen);
+ 	skb_len_add(tgt, shiftlen);
+ 
+@@ -4808,7 +4811,8 @@
+ 		skb_copy_from_linear_data_offset(head_skb, offset,
+ 						 skb_put(nskb, hsize), hsize);
+ 
+-		skb_shinfo(nskb)->flags |= skb_shinfo(head_skb)->flags &
++		skb_shinfo(nskb)->flags |= (skb_shinfo(head_skb)->flags |
++					   skb_shinfo(frag_skb)->flags) &
+ 					   SKBFL_SHARED_FRAG;
+ 
+ 		if (skb_zerocopy_clone(nskb, frag_skb, GFP_ATOMIC))
+@@ -4825,6 +4829,9 @@
+ 				nfrags = skb_shinfo(list_skb)->nr_frags;
+ 				frag = skb_shinfo(list_skb)->frags;
+ 				frag_skb = list_skb;
++
++				skb_shinfo(nskb)->flags |= skb_shinfo(frag_skb)->flags & SKBFL_SHARED_FRAG;
++
+ 				if (!skb_headlen(list_skb)) {
+ 					BUG_ON(!nfrags);
+ 				} else {
+@@ -6030,6 +6037,8 @@
+ 	       from_shinfo->frags,
+ 	       from_shinfo->nr_frags * sizeof(skb_frag_t));
+ 	to_shinfo->nr_frags += from_shinfo->nr_frags;
++	if (from_shinfo->nr_frags)
++		to_shinfo->flags |= from_shinfo->flags & SKBFL_SHARED_FRAG;
+ 
+ 	if (!skb_cloned(from))
+ 		from_shinfo->nr_frags = 0;
+--- a/net/core/gro.c	2026-05-28 13:12:16.409094447 +0200
++++ b/net/core/gro.c	2026-05-28 13:15:11.599892601 +0200
+@@ -214,10 +214,12 @@
  	p->data_len += len;
  	p->truesize += delta_truesize;
  	p->len += len;
@@ -65,42 +126,22 @@ Signed-off-by: Eduard Abdullin <eabdullin@almalinux.org>
  	}
  	NAPI_GRO_CB(skb)->same_flow = 1;
  	return 0;
-@@ -244,6 +246,8 @@ int skb_gro_receive_list(struct sk_buff *p, struct sk_buff *skb)
+@@ -245,6 +247,8 @@
  	p->truesize += skb->truesize;
  	p->len += skb->len;
-
+ 
 +	skb_shinfo(p)->flags |= skb_shinfo(skb)->flags & SKBFL_SHARED_FRAG;
 +
  	NAPI_GRO_CB(skb)->same_flow = 1;
-
+ 
  	return 0;
---- a/net/core/skbuff.c
-+++ b/net/core/skbuff.c
-@@ -2123,6 +2123,7 @@ struct sk_buff *__pskb_copy_fclone(struct sk_buff *skb, int headroom,
- 			skb_frag_ref(skb, i);
- 		}
- 		skb_shinfo(n)->nr_frags = i;
-+		skb_shinfo(n)->flags |= skb_shinfo(skb)->flags & SKBFL_SHARED_FRAG;
- 	}
-
- 	if (skb_has_frag_list(skb)) {
-@@ -4198,6 +4199,8 @@ int skb_shift(struct sk_buff *tgt, struct sk_buff *skb, int shiftlen)
- 	tgt->ip_summed = CHECKSUM_PARTIAL;
- 	skb->ip_summed = CHECKSUM_PARTIAL;
-
-+	skb_shinfo(tgt)->flags |= skb_shinfo(skb)->flags & SKBFL_SHARED_FRAG;
-+
- 	skb_len_add(skb, -shiftlen);
- 	skb_len_add(tgt, shiftlen);
-
-@@ -6028,6 +6031,8 @@ bool skb_try_coalesce(struct sk_buff *to, struct sk_buff *from,
- 	       from_shinfo->frags,
- 	       from_shinfo->nr_frags * sizeof(skb_frag_t));
- 	to_shinfo->nr_frags += from_shinfo->nr_frags;
-+	if (from_shinfo->nr_frags)
-+		to_shinfo->flags |= from_shinfo->flags & SKBFL_SHARED_FRAG;
-
- 	if (!skb_cloned(from))
- 		from_shinfo->nr_frags = 0;
---
-2.43.0
+--- a/net/ipv4/tcp_output.c	2026-05-28 13:12:16.846070054 +0200
++++ b/net/ipv4/tcp_output.c	2026-05-28 13:14:19.646400034 +0200
+@@ -2380,6 +2380,7 @@
+ 			todo = min_t(int, skb_frag_size(fragfrom),
+ 				     probe_size - len);
+ 			len += todo;
++			skb_shinfo(to)->flags |= skb_shinfo(skb)->flags & SKBFL_SHARED_FRAG;
+ 			if (lastfrag &&
+ 			    skb_frag_page(fragfrom) == skb_frag_page(lastfrag) &&
+ 			    skb_frag_off(fragfrom) == skb_frag_off(lastfrag) +
diff --git a/1105-smb-client-reject-userspace-cifs.spnego-descriptions.patch b/1105-smb-client-reject-userspace-cifs.spnego-descriptions.patch
new file mode 100644
index 000000000..4fbab3c28
--- /dev/null
+++ b/1105-smb-client-reject-userspace-cifs.spnego-descriptions.patch
@@ -0,0 +1,66 @@
+From 3da1fdf4efbc490041eb4f836bf596201203f8f2 Mon Sep 17 00:00:00 2001
+From: Asim Viladi Oglu Manizada <manizada@pm.me>
+Date: Sat, 16 May 2026 21:15:39 +0000
+Subject: smb: client: reject userspace cifs.spnego descriptions
+
+cifs.spnego key descriptions contain authority-bearing fields such as
+pid, uid, creduid, and upcall_target that cifs.upcall treats as
+kernel-originating inputs. However, userspace can also create keys of
+this type through request_key(2) or add_key(2), allowing those fields to
+be supplied without CIFS origin.
+
+Only accept cifs.spnego descriptions while CIFS is using its private
+spnego_cred to request the key.
+
+Fixes: f1d662a7d5e5 ("[CIFS] Add upcall files for cifs to use spnego/kerberos")
+Assisted-by: avom-custom-harness:gpt-5.5-qwen3.6-mod-mix
+Reviewed-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Asim Viladi Oglu Manizada <manizada@pm.me>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+---
+ fs/smb/client/cifs_spnego.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/fs/smb/client/cifs_spnego.c b/fs/smb/client/cifs_spnego.c
+index 3a41bbada04c76..44c40727568042 100644
+--- a/fs/smb/client/cifs_spnego.c
++++ b/fs/smb/client/cifs_spnego.c
+@@ -8,6 +8,7 @@
+  */
+ 
+ #include <linux/list.h>
++#include <linux/cred.h>
+ #include <linux/slab.h>
+ #include <linux/string.h>
+ #include <keys/user-type.h>
+@@ -40,12 +41,27 @@ cifs_spnego_key_destroy(struct key *key)
+ 	kfree(key->payload.data[0]);
+ }
+ 
++static int
++cifs_spnego_key_vet_description(const char *description)
++{
++	/*
++	 * cifs.spnego descriptions are authority-bearing inputs to cifs.upcall.
++	 * They are only valid when produced by CIFS while using the private
++	 * spnego_cred installed below.  Do not let userspace create this type
++	 * of key through request_key(2)/add_key(2), since the helper treats
++	 * pid/uid/creduid/upcall_target as kernel-originating fields.
++	 */
++	if (current_cred() != spnego_cred)
++		return -EPERM;
++	return 0;
++}
+ 
+ /*
+  * keytype for CIFS spnego keys
+  */
+ struct key_type cifs_spnego_key_type = {
+ 	.name		= "cifs.spnego",
++	.vet_description = cifs_spnego_key_vet_description,
+ 	.instantiate	= cifs_spnego_key_instantiate,
+ 	.destroy	= cifs_spnego_key_destroy,
+ 	.describe	= user_describe,
+-- 
+cgit 1.3-korg
+
diff --git a/kernel.spec b/kernel.spec
index 7930bca9d..942c3afe2 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -182,7 +182,7 @@ Summary: The Linux kernel
 # This is needed to do merge window version magic
 %define patchlevel 12
 # This allows pkg_release to have configurable %%{?dist} tag
-%define specrelease 211.7.3%{?buildid}%{?dist}
+%define specrelease 211.7.4%{?buildid}%{?dist}
 # This defines the kabi tarball version
 %define kabiversion 6.12.0-211.7.1.el10_2
 
@@ -1143,6 +1143,7 @@ Patch1101: 1101-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch
 Patch1102: 1102-rxrpc-linearize-paged-frags.patch
 Patch1103: 1103-net-skbuff-propagate-shared-frag-marker.patch
 Patch1104: 1104-ptrace-require-cap-on-mm-less-task.patch
+Patch1105: 1105-smb-client-reject-userspace-cifs.spnego-descriptions.patch
 
 # END OF PATCH DEFINITIONS
 
@@ -2008,6 +2009,7 @@ ApplyPatch 1101-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch
 ApplyPatch 1102-rxrpc-linearize-paged-frags.patch
 ApplyPatch 1103-net-skbuff-propagate-shared-frag-marker.patch
 ApplyPatch 1104-ptrace-require-cap-on-mm-less-task.patch
+ApplyPatch 1105-smb-client-reject-userspace-cifs.spnego-descriptions.patch
 
 %{log_msg "End of patch applications"}
 # END OF PATCH APPLICATIONS
@@ -4514,6 +4516,13 @@ fi\
 #
 #
 %changelog
+* Thu May 28 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 6.12.0-211.7.4
+- net: skbuff: propagate shared-frag marker through frag-transfer helpers
+  (refresh to upstream v5: now also covers skb_segment() and
+  tcp_clone_payload(); CVE-2026-46300 "Fragnesia")
+- smb: client: reject userspace cifs.spnego descriptions (upstream commit
+  3da1fdf4efbc)
+
 * Tue May 19 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 6.12.0-211.7.3
 - xfrm: esp: avoid in-place decrypt on shared skb frags (CVE-2026-43284)
 - rxrpc: linearize incoming DATA packet when it has paged frags (CVE-2026-43500)