diff --git a/.gitignore b/.gitignore
index e1fb4e05c..935876175 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,7 +1,9 @@
-SOURCES/kernel-abi-stablelists-5.14.0-611.5.1.el9_7.tar.bz2
-SOURCES/kernel-kabi-dw-5.14.0-611.5.1.el9_7.tar.bz2
-SOURCES/linux-5.14.0-611.5.1.el9_7.tar.xz
+SOURCES/kernel-abi-stablelists-5.14.0-611.9.1.el9_7.tar.bz2
+SOURCES/kernel-kabi-dw-5.14.0-611.9.1.el9_7.tar.bz2
+SOURCES/linux-5.14.0-611.9.1.el9_7.tar.xz
 SOURCES/nvidiagpuoot001.x509
+SOURCES/olima1.x509
+SOURCES/olimaca1.x509
 SOURCES/redhatsecureboot504.cer
 SOURCES/rheldup3.x509
 SOURCES/rhelima.x509
diff --git a/.kernel.metadata b/.kernel.metadata
index 95c49c3e4..3bb0488a1 100644
--- a/.kernel.metadata
+++ b/.kernel.metadata
@@ -1,7 +1,9 @@
-812344e0e704956beb5171bc0700229f5b13d0cd SOURCES/kernel-abi-stablelists-5.14.0-611.5.1.el9_7.tar.bz2
-414760362a9fc5fc5408496356454f28f0067af9 SOURCES/kernel-kabi-dw-5.14.0-611.5.1.el9_7.tar.bz2
-44f7428ead0ce9c1034922321ef09d050bfcd61d SOURCES/linux-5.14.0-611.5.1.el9_7.tar.xz
+80932c91094c1eb960fe0ce6a80d82af35e4f5af SOURCES/kernel-abi-stablelists-5.14.0-611.9.1.el9_7.tar.bz2
+88b33b037ebd091b82f91d4d23b5198e1a40dc09 SOURCES/kernel-kabi-dw-5.14.0-611.9.1.el9_7.tar.bz2
+0ebeddf4ed7c8c9a942ce2922bae115f03d601b9 SOURCES/linux-5.14.0-611.9.1.el9_7.tar.xz
 4fff8080e88afffc06d8ef5004db8d53bb21237f SOURCES/nvidiagpuoot001.x509
+706ae01dd14efa38f0f565a3706acac19c78df02 SOURCES/olima1.x509
+6e3f0d61414c0b50f48dc2d4c3b3cd024e1c3a43 SOURCES/olimaca1.x509
 1d51d3a037ad287095b0a13c4deeb1252d8ff0cc SOURCES/redhatsecureboot504.cer
 95b9b811c7b0a6c98b2eafc4e7d6d24f2cb63289 SOURCES/rheldup3.x509
 99e571f9de4188f3b5fdf1f84ff73f6cc4bb6a0e SOURCES/rhelima.x509
diff --git a/SOURCES/Makefile.rhelver b/SOURCES/Makefile.rhelver
index 9ec6f976d..539e233e1 100644
--- a/SOURCES/Makefile.rhelver
+++ b/SOURCES/Makefile.rhelver
@@ -12,7 +12,7 @@ RHEL_MINOR = 7
 #
 # Use this spot to avoid future merge conflicts.
 # Do not trim this comment.
-RHEL_RELEASE = 611.5.1
+RHEL_RELEASE = 611.9.1
 
 #
 # ZSTREAM
diff --git a/SOURCES/kernel-x86_64-debug-rhel.config b/SOURCES/kernel-x86_64-debug-rhel.config
index b5232309a..e4a7ea5e4 100644
--- a/SOURCES/kernel-x86_64-debug-rhel.config
+++ b/SOURCES/kernel-x86_64-debug-rhel.config
@@ -2564,7 +2564,7 @@ CONFIG_INTEL_SDSI=m
 CONFIG_INTEL_SPEED_SELECT_INTERFACE=m
 CONFIG_INTEL_TCC_COOLING=m
 CONFIG_INTEL_TDX_GUEST=y
-# CONFIG_INTEL_TDX_HOST is not set
+CONFIG_INTEL_TDX_HOST=y
 CONFIG_INTEL_TH_ACPI=m
 CONFIG_INTEL_THC_HID=m
 # CONFIG_INTEL_TH_DEBUG is not set
@@ -2892,6 +2892,7 @@ CONFIG_KVM_GUEST=y
 CONFIG_KVM_HYPERV=y
 CONFIG_KVM_INTEL=m
 # CONFIG_KVM_INTEL_PROVE_VE is not set
+CONFIG_KVM_INTEL_TDX=y
 CONFIG_KVM=m
 CONFIG_KVM_MAX_NR_VCPUS=4096
 CONFIG_KVM_PROVE_MMU=y
@@ -3396,6 +3397,7 @@ CONFIG_MITIGATION_SSB=y
 CONFIG_MITIGATION_TAA=y
 CONFIG_MITIGATION_TSA=y
 CONFIG_MITIGATION_UNRET_ENTRY=y
+CONFIG_MITIGATION_VMSCAPE=y
 # CONFIG_MK8 is not set
 CONFIG_MLX4_CORE_GEN2=y
 CONFIG_MLX4_EN_DCB=y
diff --git a/SOURCES/kernel-x86_64-rhel.config b/SOURCES/kernel-x86_64-rhel.config
index bd3a1917d..4c8f092cc 100644
--- a/SOURCES/kernel-x86_64-rhel.config
+++ b/SOURCES/kernel-x86_64-rhel.config
@@ -2548,7 +2548,7 @@ CONFIG_INTEL_SDSI=m
 CONFIG_INTEL_SPEED_SELECT_INTERFACE=m
 CONFIG_INTEL_TCC_COOLING=m
 CONFIG_INTEL_TDX_GUEST=y
-# CONFIG_INTEL_TDX_HOST is not set
+CONFIG_INTEL_TDX_HOST=y
 CONFIG_INTEL_TH_ACPI=m
 CONFIG_INTEL_THC_HID=m
 # CONFIG_INTEL_TH_DEBUG is not set
@@ -2872,6 +2872,7 @@ CONFIG_KVM_GUEST=y
 CONFIG_KVM_HYPERV=y
 CONFIG_KVM_INTEL=m
 # CONFIG_KVM_INTEL_PROVE_VE is not set
+CONFIG_KVM_INTEL_TDX=y
 CONFIG_KVM=m
 CONFIG_KVM_MAX_NR_VCPUS=4096
 # CONFIG_KVM_PROVE_MMU is not set
@@ -3376,6 +3377,7 @@ CONFIG_MITIGATION_SSB=y
 CONFIG_MITIGATION_TAA=y
 CONFIG_MITIGATION_TSA=y
 CONFIG_MITIGATION_UNRET_ENTRY=y
+CONFIG_MITIGATION_VMSCAPE=y
 # CONFIG_MK8 is not set
 CONFIG_MLX4_CORE_GEN2=y
 CONFIG_MLX4_EN_DCB=y
diff --git a/SOURCES/kernel-x86_64-rt-debug-rhel.config b/SOURCES/kernel-x86_64-rt-debug-rhel.config
index 95f371591..186cf9767 100644
--- a/SOURCES/kernel-x86_64-rt-debug-rhel.config
+++ b/SOURCES/kernel-x86_64-rt-debug-rhel.config
@@ -2619,7 +2619,7 @@ CONFIG_INTEL_SDSI=m
 CONFIG_INTEL_SPEED_SELECT_INTERFACE=m
 CONFIG_INTEL_TCC_COOLING=m
 CONFIG_INTEL_TDX_GUEST=y
-# CONFIG_INTEL_TDX_HOST is not set
+CONFIG_INTEL_TDX_HOST=y
 CONFIG_INTEL_TH_ACPI=m
 CONFIG_INTEL_THC_HID=m
 # CONFIG_INTEL_TH_DEBUG is not set
@@ -2950,6 +2950,7 @@ CONFIG_KVM_GUEST=y
 CONFIG_KVM_HYPERV=y
 CONFIG_KVM_INTEL=m
 # CONFIG_KVM_INTEL_PROVE_VE is not set
+CONFIG_KVM_INTEL_TDX=y
 CONFIG_KVM=m
 CONFIG_KVM_MAX_NR_VCPUS=4096
 CONFIG_KVM_PROVE_MMU=y
@@ -3455,6 +3456,7 @@ CONFIG_MITIGATION_SSB=y
 CONFIG_MITIGATION_TAA=y
 CONFIG_MITIGATION_TSA=y
 CONFIG_MITIGATION_UNRET_ENTRY=y
+CONFIG_MITIGATION_VMSCAPE=y
 # CONFIG_MK8 is not set
 CONFIG_MLX4_CORE_GEN2=y
 CONFIG_MLX4_DEBUG=y
diff --git a/SOURCES/kernel-x86_64-rt-rhel.config b/SOURCES/kernel-x86_64-rt-rhel.config
index 4d6614cff..6cc20f191 100644
--- a/SOURCES/kernel-x86_64-rt-rhel.config
+++ b/SOURCES/kernel-x86_64-rt-rhel.config
@@ -2603,7 +2603,7 @@ CONFIG_INTEL_SDSI=m
 CONFIG_INTEL_SPEED_SELECT_INTERFACE=m
 CONFIG_INTEL_TCC_COOLING=m
 CONFIG_INTEL_TDX_GUEST=y
-# CONFIG_INTEL_TDX_HOST is not set
+CONFIG_INTEL_TDX_HOST=y
 CONFIG_INTEL_TH_ACPI=m
 CONFIG_INTEL_THC_HID=m
 # CONFIG_INTEL_TH_DEBUG is not set
@@ -2930,6 +2930,7 @@ CONFIG_KVM_GUEST=y
 CONFIG_KVM_HYPERV=y
 CONFIG_KVM_INTEL=m
 # CONFIG_KVM_INTEL_PROVE_VE is not set
+CONFIG_KVM_INTEL_TDX=y
 CONFIG_KVM=m
 CONFIG_KVM_MAX_NR_VCPUS=4096
 # CONFIG_KVM_PROVE_MMU is not set
@@ -3435,6 +3436,7 @@ CONFIG_MITIGATION_SSB=y
 CONFIG_MITIGATION_TAA=y
 CONFIG_MITIGATION_TSA=y
 CONFIG_MITIGATION_UNRET_ENTRY=y
+CONFIG_MITIGATION_VMSCAPE=y
 # CONFIG_MK8 is not set
 CONFIG_MLX4_CORE_GEN2=y
 CONFIG_MLX4_DEBUG=y
diff --git a/SOURCES/kernel.changelog b/SOURCES/kernel.changelog
index c6db83998..f3ea02828 100644
--- a/SOURCES/kernel.changelog
+++ b/SOURCES/kernel.changelog
@@ -1,3 +1,111 @@
+* Sat Nov 15 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-611.9.1.el9_7]
+- NFSv4: handle ERR_GRACE on delegation recalls (Olga Kornievskaia) [RHEL-124651]
+- nfsd: nfserr_jukebox in nlm_fopen should lead to a retry (Olga Kornievskaia) [RHEL-124651]
+- mm: slub: avoid wake up kswapd in set_track_prepare (Audra Mitchell) [RHEL-125521] {CVE-2025-39843}
+- slub: Reflow ___slab_alloc() (Audra Mitchell) [RHEL-125521] {CVE-2025-39843}
+- nvme-multipath: Skip nr_active increments in RETRY disposition (Ewan D. Milne) [RHEL-123686]
+Resolves: RHEL-123686, RHEL-124651, RHEL-125521
+
+* Thu Nov 13 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-611.8.1.el9_7]
+- NFSD: Fix callback decoder status codes (Jay Shin) [RHEL-127193]
+- NFSD: Fix CB_GETATTR status fix (Jay Shin) [RHEL-127193]
+- NFSD: fix decoding in nfs4_xdr_dec_cb_getattr (Jay Shin) [RHEL-127193]
+- kernfs: Fix UAF in polling when open file is released (Pavel Reichl) [RHEL-122087] {CVE-2025-39881}
+- gitlab-ci: disable automotive pipelines (Scott Weaver)
+- NFS: Fix wakeup of __nfs_lookup_revalidate() in unblock_revalidate() (Benjamin Coddington) [RHEL-122154]
+- sched: Add wait/wake interface for variable updated under a lock. (Benjamin Coddington) [RHEL-122154]
+- sched: Add test_and_clear_wake_up_bit() and atomic_dec_and_wake_up() (Benjamin Coddington) [RHEL-122154]
+- sched: Document wait_var_event() family of functions and wake_up_var() (Benjamin Coddington) [RHEL-122154]
+- sched: Improve documentation for wake_up_bit/wait_on_bit family of functions (Benjamin Coddington) [RHEL-122154]
+- sched: change wake_up_bit() and related function to expect unsigned long * (Benjamin Coddington) [RHEL-122154]
+- bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6} [rhel-9.7.z] (Xin Long) [RHEL-125513]
+- redhat: use the same cert as UKI's to sign addons (Li Tian) [RHEL-125317]
+- i40e: add mask to apply valid bits for itr_idx (Michal Schmidt) [RHEL-123808]
+- i40e: add max boundary check for VF filters (Michal Schmidt) [RHEL-123808] {CVE-2025-39968}
+- i40e: fix validation of VF state in get resources (Michal Schmidt) [RHEL-123808] {CVE-2025-39969}
+- i40e: fix input validation logic for action_meta (Michal Schmidt) [RHEL-123808] {CVE-2025-39970}
+- i40e: fix idx validation in config queues msg (Michal Schmidt) [RHEL-123808] {CVE-2025-39971}
+- i40e: fix idx validation in i40e_validate_queue_map (Michal Schmidt) [RHEL-123808] {CVE-2025-39972}
+- i40e: add validation for ring_len param (Michal Schmidt) [RHEL-123808] {CVE-2025-39973}
+- io_uring/waitid: always prune wait queue entry in io_waitid_wait() (CKI Backport Bot) [RHEL-124971] {CVE-2025-40047}
+- Bluetooth: hci_event: Fix UAF in hci_conn_tx_dequeue (CKI Backport Bot) [RHEL-124129] {CVE-2025-39983}
+- Bluetooth: hci_event: Fix UAF in hci_acl_create_conn_sync (CKI Backport Bot) [RHEL-123821] {CVE-2025-39982}
+- use uniform permission checks for all mount propagation changes (Ian Kent) [RHEL-121704] {CVE-2025-38498}
+- do_change_type(): refuse to operate on unmounted/not ours mounts (Ian Kent) [RHEL-121704] {CVE-2025-38498}
+- KVM: x86/hyper-v: Skip non-canonical addresses during PV TLB flush (Jon Maloy) [RHEL-117136] {CVE-2025-38351}
+- ibmveth: Add multi buffers rx replenishment hcall support (Mamatha Inamdar) [RHEL-117438]
+- net: ibmveth: Reset the adapter when unexpected states are detected (Mamatha Inamdar) [RHEL-117438]
+- NFS: Fix a race when updating an existing write (CKI Backport Bot) [RHEL-113855] {CVE-2025-39697}
+Resolves: RHEL-113855, RHEL-117136, RHEL-117438, RHEL-121704, RHEL-122087, RHEL-122154, RHEL-123808, RHEL-123821, RHEL-124129, RHEL-124971, RHEL-125317, RHEL-125513, RHEL-127193
+
+* Thu Oct 30 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-611.7.1.el9_7]
+- The rpminspect.yaml emptyrpm list needs to be expanded (Alexandra Hájková)
+- crypto: xts - Handle EBUSY correctly (Vladis Dronov) [RHEL-119236] {CVE-2023-53494}
+- ice: fix NULL access of tx->in_use in ice_ll_ts_intr (Petr Oros) [RHEL-112874]
+- ice: fix NULL access of tx->in_use in ice_ptp_ts_irq (Petr Oros) [RHEL-112874]
+- ice: fix Rx page leak on multi-buffer frames (Petr Oros) [RHEL-116540]
+- xfs: do not propagate ENODATA disk errors into xattr code (Carlos Maiolino) [RHEL-115730]
+- ipv6: sr: Fix MAC comparison to be constant-time (CKI Backport Bot) [RHEL-116383] {CVE-2025-39702}
+- s390/hypfs: Enable limited access during lockdown (CKI Backport Bot) [RHEL-114434]
+- s390/hypfs: Avoid unnecessary ioctl registration in debugfs (CKI Backport Bot) [RHEL-114434]
+- vsock/virtio: Validate length in packet header before skb_put() (Jon Maloy) [RHEL-114298] {CVE-2025-39718}
+Resolves: RHEL-112874, RHEL-114298, RHEL-114434, RHEL-115730, RHEL-116383, RHEL-116540, RHEL-119236
+
+* Thu Oct 23 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-611.6.1.el9_7]
+- pstore/ram: Check start of empty przs during init (CKI Backport Bot) [RHEL-122068] {CVE-2023-53331}
+- ixgbe: fix ixgbe_orom_civd_info struct layout (Michal Schmidt) [RHEL-119074]
+- scsi: lpfc: Fix buffer free/clear order in deferred receive path (CKI Backport Bot) [RHEL-119130] {CVE-2025-39841}
+- efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare (CKI Backport Bot) [RHEL-118257] {CVE-2025-39817}
+- SUNRPC: call xs_sock_process_cmsg for all cmsg (Olga Kornievskaia) [RHEL-110810]
+- sunrpc: fix client side handling of tls alerts (Olga Kornievskaia) [RHEL-110810] {CVE-2025-38571}
+- smb: client: fix wrong index reference in smb2_compound_op() (Paulo Alcantara) [RHEL-117880]
+- smb: client: handle unlink(2) of files open by different clients (Paulo Alcantara) [RHEL-117880]
+- smb: client: fix file open check in __cifs_unlink() (Paulo Alcantara) [RHEL-117880]
+- smb: client: fix filename matching of deferred files (Paulo Alcantara) [RHEL-117880]
+- smb: client: fix data loss due to broken rename(2) (Paulo Alcantara) [RHEL-117880]
+- smb: client: fix compound alignment with encryption (Paulo Alcantara) [RHEL-117880]
+- fs/smb: Fix inconsistent refcnt update (Paulo Alcantara) [RHEL-117880] {CVE-2025-39819}
+- sunrpc: fix handling of server side tls alerts (Steve Dickson) [RHEL-111069] {CVE-2025-38566}
+- wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result() (CKI Backport Bot) [RHEL-117580] {CVE-2025-39849}
+- crypto: seqiv - Handle EBUSY correctly (CKI Backport Bot) [RHEL-117235] {CVE-2023-53373}
+- ibmvnic: Increase max subcrq indirect entries with fallback (Mamatha Inamdar) [RHEL-116187]
+- fs: fix UAF/GPF bug in nilfs_mdt_destroy (CKI Backport Bot) [RHEL-116662] {CVE-2022-50367}
+- firmware: arm_scpi: Ensure scpi_info is not assigned if the probe fails (Charles Mirabile) [RHEL-113837] {CVE-2022-50087}
+- hv_netvsc: Fix panic during namespace deletion with VF (Maxim Levitsky) [RHEL-115070]
+- RDMA/mana_ib: Fix DSCP value in modify QP (Maxim Levitsky) [RHEL-115070]
+- net: mana: Handle Reset Request from MANA NIC (Maxim Levitsky) [RHEL-115070]
+- net: mana: Set tx_packets to post gso processing packet count (Maxim Levitsky) [RHEL-115070]
+- net: mana: Handle unsupported HWC commands (Maxim Levitsky) [RHEL-115070]
+- net: mana: Add handler for hardware servicing events (Maxim Levitsky) [RHEL-115070]
+- RDMA/mana_ib: Add device statistics support (Maxim Levitsky) [RHEL-115070]
+- net: mana: Expose additional hardware counters for drop and TC via ethtool. (Maxim Levitsky) [RHEL-115070]
+- net: mana: Fix warnings for missing export.h header inclusion (Maxim Levitsky) [RHEL-115070]
+- net: mana: Record doorbell physical address in PF mode (Maxim Levitsky) [RHEL-115070]
+- s390/pci: Do not try re-enabling load/store if device is disabled (CKI Backport Bot) [RHEL-114451]
+- s390/pci: Fix stale function handles in error handling (CKI Backport Bot) [RHEL-114451]
+- redhat: enable TDX host config (Paolo Bonzini) [RHEL-27146]
+- KVM: TDX: Explicitly do WBINVD when no more TDX SEAMCALLs (Paolo Bonzini) [RHEL-27146]
+- x86/virt/tdx: Update the kexec section in the TDX documentation (Paolo Bonzini) [RHEL-27146]
+- x86/virt/tdx: Remove the !KEXEC_CORE dependency (Paolo Bonzini) [RHEL-27146]
+- x86/kexec: Disable kexec/kdump on platforms with TDX partial write erratum (Paolo Bonzini) [RHEL-27146]
+- x86/virt/tdx: Mark memory cache state incoherent when making SEAMCALL (Paolo Bonzini) [RHEL-27146]
+- x86/sme: Use percpu boolean to control WBINVD during kexec (Paolo Bonzini) [RHEL-27146]
+- x86/virt/tdx: Avoid indirect calls to TDX assembly functions (Paolo Bonzini) [RHEL-27146]
+- ibmvnic: Use ndo_get_stats64 to fix inaccurate SAR reporting (Mamatha Inamdar) [RHEL-114437]
+- ibmvnic: Fix hardcoded NUM_RX_STATS/NUM_TX_STATS with dynamic sizeof (Mamatha Inamdar) [RHEL-114437]
+- ibmvnic: Add stat for tx direct vs tx batched (Mamatha Inamdar) [RHEL-114437]
+- redhat/configs: Enable CONFIG_MITIGATION_VMSCAPE for x86 (Waiman Long) [RHEL-114272]
+- x86/vmscape: Add old Intel CPUs to affected list (Waiman Long) [RHEL-114272] {CVE-2025-40300}
+- x86/vmscape: Warn when STIBP is disabled with SMT (Waiman Long) [RHEL-114272] {CVE-2025-40300}
+- x86/bugs: Move cpu_bugs_smt_update() down (Waiman Long) [RHEL-114272] {CVE-2025-40300}
+- x86/vmscape: Enable the mitigation (Waiman Long) [RHEL-114272] {CVE-2025-40300}
+- x86/vmscape: Add conditional IBPB mitigation (Waiman Long) [RHEL-114272] {CVE-2025-40300}
+- x86/vmscape: Enumerate VMSCAPE bug (Waiman Long) [RHEL-114272] {CVE-2025-40300}
+- Documentation/hw-vuln: Add VMSCAPE documentation (Waiman Long) [RHEL-114272] {CVE-2025-40300}
+- randomize_kstack: Remove non-functional per-arch entropy filtering (Waiman Long) [RHEL-114272]
+- tunnels: reset the GSO metadata before reusing the skb (Antoine Tenart) [RHEL-113917]
+Resolves: RHEL-110810, RHEL-111069, RHEL-113837, RHEL-113917, RHEL-114272, RHEL-114437, RHEL-114451, RHEL-115070, RHEL-116187, RHEL-116662, RHEL-117235, RHEL-117580, RHEL-117880, RHEL-118257, RHEL-119074, RHEL-119130, RHEL-122068, RHEL-27146
+
 * Fri Oct 17 2025 Augusto Caringi <acaringi@redhat.com> [5.14.0-611.5.1.el9_7]
 - redhat: revert to using redhatsecureboot504 for RHEL UKI (Vitaly Kuznetsov) [RHEL-122230]
 Resolves: RHEL-122230
diff --git a/SOURCES/rpminspect.yaml b/SOURCES/rpminspect.yaml
index baf5134a1..1b37a2351 100644
--- a/SOURCES/rpminspect.yaml
+++ b/SOURCES/rpminspect.yaml
@@ -21,10 +21,21 @@ emptyrpm:
         - kernel-debug
         - kernel-debug-devel-matched
         - kernel-devel-matched
-        - kernel-lpae
         - kernel-zfcpdump
         - kernel-zfcpdump-devel-matched
         - kernel-zfcpdump-modules
+        - kernel-64k
+        - kernel-64k-debug
+        - kernel-64k-debug-devel-matched
+        - kernel-64k-devel-matched
+        - kernel-rt
+        - kernel-rt-debug
+        - kernel-rt-debug-devel-matched
+        - kernel-rt-devel-matched
+        - kernel-rt-64k
+        - kernel-rt-64k-debug
+        - kernel-rt-64k-debug-devel-matched
+        - kernel-rt-64k-devel-matched
 
 patches:
     ignore_list:
diff --git a/SOURCES/uki_addons.json b/SOURCES/uki_addons.json
index b595dd8c4..36371480b 100644
--- a/SOURCES/uki_addons.json
+++ b/SOURCES/uki_addons.json
@@ -1,39 +1,10 @@
 {
-    "virt": {
-        "rhel": {
-            "aarch64": {
-                "crashkernel-default.addon": [
-                    "crashkernel=1G-4G:256M,4G-64G:320M,64G-:576M\n"
-                ]
-            }
-        },
-        "common": {
-            "fips-enable.addon": [
-                "fips=1\n"
-            ],
-            "fips-disable.addon": [
-                "fips=0\n"
-            ]
-        }
-    },
     "common": {
-        "systemd-volatile-overlay.addon": [
-            "systemd.volatile=overlay"
-        ],
-        "crashkernel-512M.addon": [
-            "crashkernel=512M\n"
-        ],
-        "crashkernel-192M.addon": [
-            "crashkernel=192M\n"
-        ],
-        "crashkernel-2G.addon": [
-            "crashkernel=2G\n"
-        ],
         "crashkernel-1536M.addon": [
             "crashkernel=1536M\n"
         ],
-        "debug.addon": [
-            "debug\n"
+        "crashkernel-192M.addon": [
+            "crashkernel=192M\n"
         ],
         "crashkernel-1G.addon": [
             "crashkernel=1G\n"
@@ -41,8 +12,37 @@
         "crashkernel-256M.addon": [
             "crashkernel=256M\n"
         ],
+        "crashkernel-2G.addon": [
+            "crashkernel=2G\n"
+        ],
+        "crashkernel-512M.addon": [
+            "crashkernel=512M\n"
+        ],
         "crashkernel-default.addon": [
             "crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M\n"
+        ],
+        "debug.addon": [
+            "debug\n"
+        ],
+        "systemd-volatile-overlay.addon": [
+            "systemd.volatile=overlay"
         ]
+    },
+    "virt": {
+        "common": {
+            "fips-disable.addon": [
+                "fips=0\n"
+            ],
+            "fips-enable.addon": [
+                "fips=1\n"
+            ]
+        },
+        "rhel": {
+            "aarch64": {
+                "crashkernel-default.addon": [
+                    "crashkernel=1G-4G:256M,4G-64G:320M,64G-:576M\n"
+                ]
+            }
+        }
     }
 }
\ No newline at end of file
diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec
index 938e62ce8..63c0cdf42 100644
--- a/SPECS/kernel.spec
+++ b/SPECS/kernel.spec
@@ -165,15 +165,15 @@ Summary: The Linux kernel
 # define buildid .local
 %define specversion 5.14.0
 %define patchversion 5.14
-%define pkgrelease 611.5.1
+%define pkgrelease 611.9.1
 %define kversion 5
-%define tarfile_release 5.14.0-611.5.1.el9_7
+%define tarfile_release 5.14.0-611.9.1.el9_7
 # This is needed to do merge window version magic
 %define patchlevel 14
 # This allows pkg_release to have configurable %%{?dist} tag
-%define specrelease 611.5.1%{?buildid}%{?dist}
+%define specrelease 611.9.1%{?buildid}%{?dist}
 # This defines the kabi tarball version
-%define kabiversion 5.14.0-611.5.1.el9_7
+%define kabiversion 5.14.0-611.9.1.el9_7
 
 #
 # End of genspec.sh variables
@@ -2475,7 +2475,7 @@ BuildKernel() {
         mv $KernelUnifiedImage.signed $KernelUnifiedImage
 
       for addon in "$KernelAddonsDirOut"/*; do
-        %pesign -s -i $addon -o $addon.signed -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0}
+        %pesign -s -i $addon -o $addon.signed -a %{secureboot_ca_0} -c $UKI_secureboot_cert -n $UKI_secureboot_name
         rm -f $addon
         mv $addon.signed $addon
       done
@@ -3768,7 +3768,7 @@ fi
 #
 #
 %changelog
-* Tue Nov 11 2025 Andrew Lukoshko <alukoshko@almalinux.org> - 5.14.0-611.5.1
+* Thu Nov 27 2025 Andrew Lukoshko <alukoshko@almalinux.org> - 5.14.0-611.9.1
 - hpsa: bring back deprecated PCI ids #CFHack #CFHack2024
 - mptsas: bring back deprecated PCI ids #CFHack #CFHack2024
 - megaraid_sas: bring back deprecated PCI ids #CFHack #CFHack2024
@@ -3779,17 +3779,114 @@ fi
 - kernel/rh_messages.h: enable all disabled pci devices by moving to
   unmaintained
 
-* Tue Nov 11 2025 Eduard Abdullin <eabdullin@almalinux.org> - 5.14.0-611.5.1
+* Thu Nov 27 2025 Eduard Abdullin <eabdullin@almalinux.org> - 5.14.0-611.9.1
 - Use AlmaLinux OS secure boot cert
 - Debrand for AlmaLinux OS
 - Add KVM support for ppc64le
 
-* Tue Nov 11 2025 Andrew Lukoshko <alukoshko@almalinux.org> [5.14.0-611.5.1.el9_7]
-- Update RHEL_RELEASE, ZSTREAM, and DIST (Andrew Lukoshko)
-- kernel-5.14.0-611.5.1.el9_7 (Augusto Caringi)
-- Merge: kabi: add symbols to stablelist and enable check-kabi (Augusto Caringi) [RHEL-113010]
-- Merge tag 'kernel-5.14.0-611.4.1.el9_7' into main (Patrick Talbert)
-- Merge tag 'kernel-5.14.0-611.2.1.el9_7' from 9.7 (Augusto Caringi)
+* Sat Nov 15 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-611.9.1.el9_7]
+- NFSv4: handle ERR_GRACE on delegation recalls (Olga Kornievskaia) [RHEL-124651]
+- nfsd: nfserr_jukebox in nlm_fopen should lead to a retry (Olga Kornievskaia) [RHEL-124651]
+- mm: slub: avoid wake up kswapd in set_track_prepare (Audra Mitchell) [RHEL-125521] {CVE-2025-39843}
+- slub: Reflow ___slab_alloc() (Audra Mitchell) [RHEL-125521] {CVE-2025-39843}
+- nvme-multipath: Skip nr_active increments in RETRY disposition (Ewan D. Milne) [RHEL-123686]
+
+* Thu Nov 13 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-611.8.1.el9_7]
+- NFSD: Fix callback decoder status codes (Jay Shin) [RHEL-127193]
+- NFSD: Fix CB_GETATTR status fix (Jay Shin) [RHEL-127193]
+- NFSD: fix decoding in nfs4_xdr_dec_cb_getattr (Jay Shin) [RHEL-127193]
+- kernfs: Fix UAF in polling when open file is released (Pavel Reichl) [RHEL-122087] {CVE-2025-39881}
+- gitlab-ci: disable automotive pipelines (Scott Weaver)
+- NFS: Fix wakeup of __nfs_lookup_revalidate() in unblock_revalidate() (Benjamin Coddington) [RHEL-122154]
+- sched: Add wait/wake interface for variable updated under a lock. (Benjamin Coddington) [RHEL-122154]
+- sched: Add test_and_clear_wake_up_bit() and atomic_dec_and_wake_up() (Benjamin Coddington) [RHEL-122154]
+- sched: Document wait_var_event() family of functions and wake_up_var() (Benjamin Coddington) [RHEL-122154]
+- sched: Improve documentation for wake_up_bit/wait_on_bit family of functions (Benjamin Coddington) [RHEL-122154]
+- sched: change wake_up_bit() and related function to expect unsigned long * (Benjamin Coddington) [RHEL-122154]
+- bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6} [rhel-9.7.z] (Xin Long) [RHEL-125513]
+- redhat: use the same cert as UKI's to sign addons (Li Tian) [RHEL-125317]
+- i40e: add mask to apply valid bits for itr_idx (Michal Schmidt) [RHEL-123808]
+- i40e: add max boundary check for VF filters (Michal Schmidt) [RHEL-123808] {CVE-2025-39968}
+- i40e: fix validation of VF state in get resources (Michal Schmidt) [RHEL-123808] {CVE-2025-39969}
+- i40e: fix input validation logic for action_meta (Michal Schmidt) [RHEL-123808] {CVE-2025-39970}
+- i40e: fix idx validation in config queues msg (Michal Schmidt) [RHEL-123808] {CVE-2025-39971}
+- i40e: fix idx validation in i40e_validate_queue_map (Michal Schmidt) [RHEL-123808] {CVE-2025-39972}
+- i40e: add validation for ring_len param (Michal Schmidt) [RHEL-123808] {CVE-2025-39973}
+- io_uring/waitid: always prune wait queue entry in io_waitid_wait() (CKI Backport Bot) [RHEL-124971] {CVE-2025-40047}
+- Bluetooth: hci_event: Fix UAF in hci_conn_tx_dequeue (CKI Backport Bot) [RHEL-124129] {CVE-2025-39983}
+- Bluetooth: hci_event: Fix UAF in hci_acl_create_conn_sync (CKI Backport Bot) [RHEL-123821] {CVE-2025-39982}
+- use uniform permission checks for all mount propagation changes (Ian Kent) [RHEL-121704] {CVE-2025-38498}
+- do_change_type(): refuse to operate on unmounted/not ours mounts (Ian Kent) [RHEL-121704] {CVE-2025-38498}
+- KVM: x86/hyper-v: Skip non-canonical addresses during PV TLB flush (Jon Maloy) [RHEL-117136] {CVE-2025-38351}
+- ibmveth: Add multi buffers rx replenishment hcall support (Mamatha Inamdar) [RHEL-117438]
+- net: ibmveth: Reset the adapter when unexpected states are detected (Mamatha Inamdar) [RHEL-117438]
+- NFS: Fix a race when updating an existing write (CKI Backport Bot) [RHEL-113855] {CVE-2025-39697}
+
+* Thu Oct 30 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-611.7.1.el9_7]
+- The rpminspect.yaml emptyrpm list needs to be expanded (Alexandra Hájková)
+- crypto: xts - Handle EBUSY correctly (Vladis Dronov) [RHEL-119236] {CVE-2023-53494}
+- ice: fix NULL access of tx->in_use in ice_ll_ts_intr (Petr Oros) [RHEL-112874]
+- ice: fix NULL access of tx->in_use in ice_ptp_ts_irq (Petr Oros) [RHEL-112874]
+- ice: fix Rx page leak on multi-buffer frames (Petr Oros) [RHEL-116540]
+- xfs: do not propagate ENODATA disk errors into xattr code (Carlos Maiolino) [RHEL-115730]
+- ipv6: sr: Fix MAC comparison to be constant-time (CKI Backport Bot) [RHEL-116383] {CVE-2025-39702}
+- s390/hypfs: Enable limited access during lockdown (CKI Backport Bot) [RHEL-114434]
+- s390/hypfs: Avoid unnecessary ioctl registration in debugfs (CKI Backport Bot) [RHEL-114434]
+- vsock/virtio: Validate length in packet header before skb_put() (Jon Maloy) [RHEL-114298] {CVE-2025-39718}
+
+* Thu Oct 23 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [5.14.0-611.6.1.el9_7]
+- pstore/ram: Check start of empty przs during init (CKI Backport Bot) [RHEL-122068] {CVE-2023-53331}
+- ixgbe: fix ixgbe_orom_civd_info struct layout (Michal Schmidt) [RHEL-119074]
+- scsi: lpfc: Fix buffer free/clear order in deferred receive path (CKI Backport Bot) [RHEL-119130] {CVE-2025-39841}
+- efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare (CKI Backport Bot) [RHEL-118257] {CVE-2025-39817}
+- SUNRPC: call xs_sock_process_cmsg for all cmsg (Olga Kornievskaia) [RHEL-110810]
+- sunrpc: fix client side handling of tls alerts (Olga Kornievskaia) [RHEL-110810] {CVE-2025-38571}
+- smb: client: fix wrong index reference in smb2_compound_op() (Paulo Alcantara) [RHEL-117880]
+- smb: client: handle unlink(2) of files open by different clients (Paulo Alcantara) [RHEL-117880]
+- smb: client: fix file open check in __cifs_unlink() (Paulo Alcantara) [RHEL-117880]
+- smb: client: fix filename matching of deferred files (Paulo Alcantara) [RHEL-117880]
+- smb: client: fix data loss due to broken rename(2) (Paulo Alcantara) [RHEL-117880]
+- smb: client: fix compound alignment with encryption (Paulo Alcantara) [RHEL-117880]
+- fs/smb: Fix inconsistent refcnt update (Paulo Alcantara) [RHEL-117880] {CVE-2025-39819}
+- sunrpc: fix handling of server side tls alerts (Steve Dickson) [RHEL-111069] {CVE-2025-38566}
+- wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result() (CKI Backport Bot) [RHEL-117580] {CVE-2025-39849}
+- crypto: seqiv - Handle EBUSY correctly (CKI Backport Bot) [RHEL-117235] {CVE-2023-53373}
+- ibmvnic: Increase max subcrq indirect entries with fallback (Mamatha Inamdar) [RHEL-116187]
+- fs: fix UAF/GPF bug in nilfs_mdt_destroy (CKI Backport Bot) [RHEL-116662] {CVE-2022-50367}
+- firmware: arm_scpi: Ensure scpi_info is not assigned if the probe fails (Charles Mirabile) [RHEL-113837] {CVE-2022-50087}
+- hv_netvsc: Fix panic during namespace deletion with VF (Maxim Levitsky) [RHEL-115070]
+- RDMA/mana_ib: Fix DSCP value in modify QP (Maxim Levitsky) [RHEL-115070]
+- net: mana: Handle Reset Request from MANA NIC (Maxim Levitsky) [RHEL-115070]
+- net: mana: Set tx_packets to post gso processing packet count (Maxim Levitsky) [RHEL-115070]
+- net: mana: Handle unsupported HWC commands (Maxim Levitsky) [RHEL-115070]
+- net: mana: Add handler for hardware servicing events (Maxim Levitsky) [RHEL-115070]
+- RDMA/mana_ib: Add device statistics support (Maxim Levitsky) [RHEL-115070]
+- net: mana: Expose additional hardware counters for drop and TC via ethtool. (Maxim Levitsky) [RHEL-115070]
+- net: mana: Fix warnings for missing export.h header inclusion (Maxim Levitsky) [RHEL-115070]
+- net: mana: Record doorbell physical address in PF mode (Maxim Levitsky) [RHEL-115070]
+- s390/pci: Do not try re-enabling load/store if device is disabled (CKI Backport Bot) [RHEL-114451]
+- s390/pci: Fix stale function handles in error handling (CKI Backport Bot) [RHEL-114451]
+- redhat: enable TDX host config (Paolo Bonzini) [RHEL-27146]
+- KVM: TDX: Explicitly do WBINVD when no more TDX SEAMCALLs (Paolo Bonzini) [RHEL-27146]
+- x86/virt/tdx: Update the kexec section in the TDX documentation (Paolo Bonzini) [RHEL-27146]
+- x86/virt/tdx: Remove the !KEXEC_CORE dependency (Paolo Bonzini) [RHEL-27146]
+- x86/kexec: Disable kexec/kdump on platforms with TDX partial write erratum (Paolo Bonzini) [RHEL-27146]
+- x86/virt/tdx: Mark memory cache state incoherent when making SEAMCALL (Paolo Bonzini) [RHEL-27146]
+- x86/sme: Use percpu boolean to control WBINVD during kexec (Paolo Bonzini) [RHEL-27146]
+- x86/virt/tdx: Avoid indirect calls to TDX assembly functions (Paolo Bonzini) [RHEL-27146]
+- ibmvnic: Use ndo_get_stats64 to fix inaccurate SAR reporting (Mamatha Inamdar) [RHEL-114437]
+- ibmvnic: Fix hardcoded NUM_RX_STATS/NUM_TX_STATS with dynamic sizeof (Mamatha Inamdar) [RHEL-114437]
+- ibmvnic: Add stat for tx direct vs tx batched (Mamatha Inamdar) [RHEL-114437]
+- redhat/configs: Enable CONFIG_MITIGATION_VMSCAPE for x86 (Waiman Long) [RHEL-114272]
+- x86/vmscape: Add old Intel CPUs to affected list (Waiman Long) [RHEL-114272] {CVE-2025-40300}
+- x86/vmscape: Warn when STIBP is disabled with SMT (Waiman Long) [RHEL-114272] {CVE-2025-40300}
+- x86/bugs: Move cpu_bugs_smt_update() down (Waiman Long) [RHEL-114272] {CVE-2025-40300}
+- x86/vmscape: Enable the mitigation (Waiman Long) [RHEL-114272] {CVE-2025-40300}
+- x86/vmscape: Add conditional IBPB mitigation (Waiman Long) [RHEL-114272] {CVE-2025-40300}
+- x86/vmscape: Enumerate VMSCAPE bug (Waiman Long) [RHEL-114272] {CVE-2025-40300}
+- Documentation/hw-vuln: Add VMSCAPE documentation (Waiman Long) [RHEL-114272] {CVE-2025-40300}
+- randomize_kstack: Remove non-functional per-arch entropy filtering (Waiman Long) [RHEL-114272]
+- tunnels: reset the GSO metadata before reusing the skb (Antoine Tenart) [RHEL-113917]
 
 * Fri Oct 17 2025 Augusto Caringi <acaringi@redhat.com> [5.14.0-611.5.1.el9_7]
 - redhat: revert to using redhatsecureboot504 for RHEL UKI (Vitaly Kuznetsov) [RHEL-122230]