diff --git a/SOURCES/CVE-2024-1086.patch b/SOURCES/CVE-2024-1086.patch
new file mode 100644
index 0000000..319aad3
--- /dev/null
+++ b/SOURCES/CVE-2024-1086.patch
@@ -0,0 +1,34 @@
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 38ff119ab..11f4b1aab 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -10442,16 +10442,10 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
+ 	data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
+ 
+ 	switch (data->verdict.code) {
+-	default:
+-		switch (data->verdict.code & NF_VERDICT_MASK) {
+-		case NF_ACCEPT:
+-		case NF_DROP:
+-		case NF_QUEUE:
+-			break;
+-		default:
+-			return -EINVAL;
+-		}
+-		fallthrough;
++	case NF_ACCEPT:
++	case NF_DROP:
++	case NF_QUEUE:
++		break;
+ 	case NFT_CONTINUE:
+ 	case NFT_BREAK:
+ 	case NFT_RETURN:
+@@ -10486,6 +10480,8 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
+ 
+ 		data->verdict.chain = chain;
+ 		break;
++	default:
++		return -EINVAL;
+ 	}
+ 
+ 	desc->len = sizeof(data->verdict);
diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec
index ce35f98..ff90871 100644
--- a/SPECS/kernel.spec
+++ b/SPECS/kernel.spec
@@ -161,13 +161,14 @@ Summary: The Linux kernel
 # define buildid .local
 %define specversion 5.14.0
 %define patchversion 5.14
-%define pkgrelease 362.24.1
+%define pkgrelease 362.24.2
 %define kversion 5
 %define tarfile_release 5.14.0-362.24.1.el9_3
 # This is needed to do merge window version magic
 %define patchlevel 14
 # This allows pkg_release to have configurable %%{?dist} tag
-%define specrelease 362.24.1%{?buildid}%{?dist}
+# alma patched to 362.24.2 but still using 362.24.1 sources plus patch file
+%define specrelease 362.24.2%{?buildid}%{?dist}
 # This defines the kabi tarball version
 %define kabiversion 5.14.0-362.24.1.el9_3
 
@@ -949,6 +950,7 @@ Patch1: patch-%{patchversion}-redhat.patch
 
 # AlmaLinux patches
 Patch1001: 0001-nvme-pci-add-BOGUS_NID-for-Intel-0a54-device.patch
+Patch1002: CVE-2024-1086.patch
 
 # empty final patch to facilitate testing of kernel patches
 Patch999999: linux-kernel-test.patch
@@ -1695,6 +1697,7 @@ ApplyOptionalPatch patch-%{patchversion}-redhat.patch
 %endif
 
 ApplyPatch 0001-nvme-pci-add-BOGUS_NID-for-Intel-0a54-device.patch
+ApplyPatch CVE-2024-1086.patch
 
 ApplyOptionalPatch linux-kernel-test.patch
 
@@ -3741,6 +3744,9 @@ fi
 #
 #
 %changelog
+* Fri Mar 29 2024 Jonathan Wright <jonathan@almalinux.org> [5.14.0-362.24.2.el9_3]
+- netfilter: nf_tables: reject QUEUE/DROP verdict parameters {CVE-2024-1086}
+
 * Thu Feb 15 2024 Jan Stancek <jstancek@redhat.com> [5.14.0-362.24.1.el9_3]
 - RDMA/mlx5: Fix assigning access flags to cache mkeys (Mohammad Kabat) [RHEL-25242 RHEL-882]
 - drm/amdgpu: Fix potential fence use-after-free v2 (Jan Stancek) [RHEL-24501 RHEL-24504 RHEL-22506 RHEL-22507] {CVE-2023-51042}