diff --git a/SOURCES/1103-ptrace-require-cap-on-mm-less-task.patch b/SOURCES/1103-ptrace-require-cap-on-mm-less-task.patch
new file mode 100644
index 000000000..08b94e525
--- /dev/null
+++ b/SOURCES/1103-ptrace-require-cap-on-mm-less-task.patch
@@ -0,0 +1,55 @@
+From: Andrew Lukoshko <alukoshko@almalinux.org>
+Subject: [PATCH AlmaLinux 9] ptrace: require CAP_SYS_PTRACE when task has no mm
+
+kABI-safe AlmaLinux backport of upstream commit 31e62c2ebbfd
+("ptrace: slightly saner 'get_dumpable()' logic") posted at
+https://github.com/torvalds/linux/commit/31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a
+
+The upstream fix adds a 'user_dumpable:1' bit to task_struct and
+caches the last dumpability in exit_mm() so __ptrace_may_access()
+can require CAP_SYS_PTRACE when the target has no mm (e.g. kernel
+threads or already-exited user tasks). That layout change to
+task_struct breaks kABI on RHEL/AlmaLinux 9 (the symtype
+signature of struct task_struct is referenced by stablelist exports
+such as set_cpus_allowed_ptr() and wake_up_process()), so we cannot
+import the field/exit_mm hunks as-is.
+
+Take the minimal kABI-safe slice instead: when task->mm == NULL,
+require CAP_SYS_PTRACE in init_user_ns unconditionally. This closes
+the Qualys Security Advisory hole -- mm-less targets no longer pass
+the dumpability check by default -- without touching task_struct or
+exit.c. The only behavioural delta versus upstream is that a user
+task that has already cleared its mm in exit_mm() (a dying/zombie
+task) now also requires CAP_SYS_PTRACE to attach, instead of being
+remembered as previously dumpable. Such targets are rarely ptraced
+in practice.
+
+Verified to apply with `patch -p1 -F0` (no offset, no fuzz, no rejects)
+against kernel-5.14.0-611.54.1.el9_7.
+
+Reported-by: Qualys Security Advisory <qsa@qualys.com>
+Signed-off-by: Andrew Lukoshko <alukoshko@almalinux.org>
+---
+ kernel/ptrace.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/kernel/ptrace.c
++++ b/kernel/ptrace.c
+@@ -349,8 +349,11 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
+ 	smp_rmb();
+ 	mm = task->mm;
+-	if (mm &&
+-	    ((get_dumpable(mm) != SUID_DUMP_USER) &&
+-	     !ptrace_has_cap(mm->user_ns, mode)))
+-	    return -EPERM;
++	if (mm) {
++		if ((get_dumpable(mm) != SUID_DUMP_USER) &&
++		    !ptrace_has_cap(mm->user_ns, mode))
++			return -EPERM;
++	} else if (!ptrace_has_cap(&init_user_ns, mode)) {
++		return -EPERM;
++	}
+ 
+ 	return security_ptrace_access_check(task, mode);
+--
+2.43.0
diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec
index 18b2b4918..8c50bf48b 100644
--- a/SPECS/kernel.spec
+++ b/SPECS/kernel.spec
@@ -165,13 +165,13 @@ Summary: The Linux kernel
 # define buildid .local
 %define specversion 5.14.0
 %define patchversion 5.14
-%define pkgrelease 611.54.5
+%define pkgrelease 611.54.6
 %define kversion 5
 %define tarfile_release 5.14.0-611.54.1.el9_7
 # This is needed to do merge window version magic
 %define patchlevel 14
 # This allows pkg_release to have configurable %%{?dist} tag
-%define specrelease 611.54.5%{?buildid}%{?dist}
+%define specrelease 611.54.6%{?buildid}%{?dist}
 # This defines the kabi tarball version
 %define kabiversion 5.14.0-611.54.1.el9_7
 
@@ -959,6 +959,7 @@ Patch2007: 0007-Bring-back-deprecated-pci-ids-to-be2iscsi-driver.patch
 Patch1100: 1100-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch
 Patch1101: 1101-rxrpc-linearize-paged-frags.patch
 Patch1102: 1102-net-skbuff-propagate-shared-frag-marker.patch
+Patch1103: 1103-ptrace-require-cap-on-mm-less-task.patch
 
 Patch11111: ppc64le-kvm-support.patch
 
@@ -1706,6 +1707,7 @@ ApplyPatch 0007-Bring-back-deprecated-pci-ids-to-be2iscsi-driver.patch
 ApplyPatch 1100-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch
 ApplyPatch 1101-rxrpc-linearize-paged-frags.patch
 ApplyPatch 1102-net-skbuff-propagate-shared-frag-marker.patch
+ApplyPatch 1103-ptrace-require-cap-on-mm-less-task.patch
 
 # END OF PATCH APPLICATIONS
 
@@ -3777,6 +3779,9 @@ fi
 #
 #
 %changelog
+* Fri May 15 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 5.14.0-611.54.6
+- ptrace: require CAP_SYS_PTRACE when task has no mm (kABI-safe)
+
 * Thu May 14 2026 Eduard Abdullin <eabdullin@almalinux.org> - 5.14.0-611.54.5
 - net: skbuff: propagate shared-frag marker through frag-transfer helpers