diff --git a/s390utils-2.38.0-rhel.patch b/s390utils-2.38.0-rhel.patch
index e69de29..8325acf 100644
--- a/s390utils-2.38.0-rhel.patch
+++ b/s390utils-2.38.0-rhel.patch
@@ -0,0 +1,167 @@
+From 022b0c3bbe1d55a4d4fe65438d5b7c647f799e74 Mon Sep 17 00:00:00 2001
+From: Shalini Chellathurai Saroja <shalini@linux.ibm.com>
+Date: Fri, 16 May 2025 16:47:24 +0200
+Subject: [PATCH] cpi: Disable CPI for SEL guests by default (RHEL-76931)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The cpictl utility sends control-program identification data
+from protected virtualization guests to hosts by default.
+This behaviour leaks the below potentially sensitive
+information to untrusted hosts.
+- system_type
+- system_level
+- sysplex_name
+- system_name
+
+To prevent this behaviour, enhance the cpictl utility to stop
+setting CPI information on protected virtualization guests by
+default. If the user chooses to set the CPI information, it
+could be set by one of the below options
+- use the command line option --permit-cpi
+- set the environment variable CPI_PERMIT_ON_PVGUEST to 1 to
+control the CPI service behaviour during boot
+
+Signed-off-by: Hendrik Brueckner <brueckner@linux.ibm.com>
+Signed-off-by: Shalini Chellathurai Saroja <shalini@linux.ibm.com>
+Reviewed-by: Jan Höppner <hoeppner@linux.ibm.com>
+Reviewed-by: Peter Oberparleiter <oberpar@linux.ibm.com>
+Reviewed-by: Hendrik Brueckner <brueckner@linux.ibm.com>
+Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
+(cherry picked from commit ce9c518b977925cc4c9eb92a3e508762fd57f551)
+---
+ etc/sysconfig/cpi      | 14 ++++++++++++++
+ scripts/cpictl         | 39 +++++++++++++++++++++++++++++++++++++--
+ systemd/cpi.service.in |  1 +
+ 3 files changed, 52 insertions(+), 2 deletions(-)
+
+diff --git a/etc/sysconfig/cpi b/etc/sysconfig/cpi
+index 866b589..78eb632 100644
+--- a/etc/sysconfig/cpi
++++ b/etc/sysconfig/cpi
+@@ -18,3 +18,17 @@ CPI_SYSTEM_NAME=""
+ # CPI sysplex name
+ #
+ CPI_SYSPLEX_NAME=""
++
++#
++# CPI permit on protected virtualization guests
++#
++# Important: Set CPI_PERMIT_ON_PVGUEST=1 only if you trust the host system.
++# Enabling these options allows the host to receive potentially sensitive
++# Control-Program Identification (CPI) data from the protected virtualization
++# guest, including:
++# - system_type
++# - system_level
++# - sysplex_name
++# - system_name
++#
++CPI_PERMIT_ON_PVGUEST=
+diff --git a/scripts/cpictl b/scripts/cpictl
+index 16cadde..6096a67 100755
+--- a/scripts/cpictl
++++ b/scripts/cpictl
+@@ -32,6 +32,9 @@ declare TYPE
+ declare NAME
+ declare SYSPLEX
+ 
++declare PV_GUEST
++declare -i CPI_PERMIT="$CPI_PERMIT_ON_PVGUEST"
++
+ declare -i DRYRUN=0
+ 
+ # Exit codes
+@@ -40,6 +43,7 @@ readonly EXIT_FAILURE=1
+ readonly EXIT_ARG_TOO_LONG=3
+ readonly EXIT_INVALID_CHARS=4
+ readonly EXIT_INVALID_ARGS=5
++readonly EXIT_NO_PERMIT_CPI=6
+ 
+ # Distro-IDs as supported by SE/HMC firmware
+ readonly DISTRO_GENERIC=0
+@@ -69,6 +73,10 @@ Configure the Control-Program-Information (CPI) settings.
+   -S, --sysplex SYSPLEX  Set and commit the sysplex name to SYSPLEX
+   -T, --type TYPE        Set and commit OS type to TYPE
+   -v, --version          Print version information, then exit
++  --permit-cpi           Permit to send Control-Program Identification data of
++                         protected virtualization guest to the host (must be
++                         specified before any commit option). See also the
++                         important note.
+   --commit               Ignore all other options and commit any uncommitted
+                          values
+   --dry-run              Do not actually set or commit anything, but show what
+@@ -77,7 +85,17 @@ Configure the Control-Program-Information (CPI) settings.
+                          uncommitted) values
+ 
+ Environment variables used for the --defaults option:
+-  CPI_SYSTEM_TYPE, CPI_SYSTEM_LEVEL, CPI_SYSTEM_NAME, CPI_SYSPLEX_NAME
++  CPI_SYSTEM_TYPE, CPI_SYSTEM_LEVEL, CPI_SYSTEM_NAME, CPI_SYSPLEX_NAME,
++  CPI_PERMIT_ON_PVGUEST (See also the important note.)
++
++Important: Set CPI_PERMIT_ON_PVGUEST=1 or use --permit_cpi option only if you
++trust the host system. Enabling these options allows the host to receive
++potentially sensitive Control-Program Identification (CPI) data from the
++protected virtualization guest, including:
++- system_type
++- system_level
++- sysplex_name
++- system_name
+ 
+ Available bits for the --set-bit option:
+   kvm: Indicate that system is a KVM host
+@@ -124,6 +142,19 @@ fail_with()
+ 
+ cpi_commit()
+ {
++	# Commit Control-Program Identification changes on protected
++	# virtualization guests only if it is permitted by the guest. This
++	# prevents leakage of potentially sensitive information to untrusted
++	# hosts.
++	if [[ -f "/sys/firmware/uv/prot_virt_guest" ]]; then
++		read -r PV_GUEST < "/sys/firmware/uv/prot_virt_guest"
++		if [[ "$PV_GUEST" -eq 1 ]]; then
++			if [[ -z "$CPI_PERMIT" ]] || [[ "$CPI_PERMIT" -ne 1 ]]; then
++				echo "Sending CPI data from secure execution Linux guests is disabled. Use --permit-cpi to enable CPI data." >&2
++				exit "$EXIT_NO_PERMIT_CPI"
++			fi
++		fi
++	fi
+ 	echo 1 > "$CPI_SET" 2> /dev/null
+ }
+ 
+@@ -404,7 +435,7 @@ if [ $# -le 0 ]; then
+ 	print_parse_error_and_exit
+ fi
+ 
+-opts=$(getopt -o b:ehL:N:S:T:v -l set-bit:,environment,help,level:,name:,sysplex:,type:,commit,dry-run,show,version -n $PRG -- "$@")
++opts=$(getopt -o b:ehL:N:S:T:v -l set-bit:,environment,help,level:,name:,sysplex:,type:,commit,dry-run,permit-cpi,show,version -n "$PRG" -- "$@")
+ if [ $? -ne 0 ]; then
+ 	print_parse_error_and_exit
+ fi
+@@ -473,6 +504,10 @@ while [ -n $1 ]; do
+ 		cpi_show
+ 		exit $EXIT_SUCCESS
+ 		;;
++	--permit-cpi)
++		CPI_PERMIT=1
++		shift
++		;;
+ 	--commit)
+ 		cpi_commit
+ 		exit $EXIT_SUCCESS
+diff --git a/systemd/cpi.service.in b/systemd/cpi.service.in
+index 3976f68..ca21a8b 100644
+--- a/systemd/cpi.service.in
++++ b/systemd/cpi.service.in
+@@ -37,6 +37,7 @@ EnvironmentFile=@sysconf_path@/sysconfig/cpi
+ # Environment=CPI_SYSPLEX_NAME=
+ # Environment=CPI_SYSTEM_LEVEL=
+ # Environment=CPI_SYSTEM_TYPE=LINUX
++# Environment=CPI_PERMIT_ON_PVGUEST=
+ 
+ #
+ # Sending data to the HMC/SE
+-- 
+2.50.1
+
diff --git a/s390utils.spec b/s390utils.spec
index 7fb00f5..54fbc03 100644
--- a/s390utils.spec
+++ b/s390utils.spec
@@ -15,7 +15,7 @@
 Name:           s390utils
 Summary:        Utilities and daemons for IBM z Systems
 Version:        2.38.0
-Release:        1%{?dist}
+Release:        2%{?dist}
 Epoch:          2
 License:        MIT
 URL:            https://github.com/ibm-s390-linux/s390-tools
@@ -47,7 +47,7 @@ Patch0:         s390-tools-zipl-invert-script-options.patch
 Patch1:         s390-tools-zipl-blscfg-rpm-nvr-sort.patch
 
 # upstream fixes/updates
-#Patch100:       s390utils-%%{version}-rhel.patch
+Patch100:       s390utils-%{version}-rhel.patch
 
 # https://fedoraproject.org/wiki/Changes/EncourageI686LeafRemoval
 ExcludeArch:    %{ix86}
@@ -121,7 +121,7 @@ be used together with the zSeries (s390) Linux kernel and device drivers.
 %patch -P 1 -p1 -b .blscfg-rpm-nvr-sort
 
 # upstream fixes/updates
-#%%patch -P 100 -p1
+%patch -P 100 -p1
 
 # remove --strip from install
 find . -name Makefile | xargs sed -i 's/$(INSTALL) -s/$(INSTALL)/g'
@@ -1095,6 +1095,10 @@ User-space development files for the s390/s390x architecture.
 
 
 %changelog
+* Wed Aug 13 2025 Dan Horák <dhorak@redhat.com> - 2:2.38.0-2
+- cpi: Disable CPI for SEL guests by default (RHEL-76931)
+- Resolves: RHEL-76931
+
 * Mon Jul 14 2025 Dan Horák <dhorak@redhat.com> - 2:2.38.0-1
 - rebased to 2.38.0 (RHEL-73342)
 - LPAR level power consumption reporting (RHEL-72675)