diff --git a/0085-mount-improve-all-documentation.patch b/0085-mount-improve-all-documentation.patch
new file mode 100644
index 0000000..087fc8c
--- /dev/null
+++ b/0085-mount-improve-all-documentation.patch
@@ -0,0 +1,41 @@
+From b9dcdb44a709d4ac285779bb80598b344fb99ac2 Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Wed, 22 Oct 2025 10:49:23 +0200
+Subject: mount: improve --all documentation
+
+Add notes to the --all option description:
+- Historical context: mount -a was originally designed for init scripts
+- Modern usage: systemd-based distributions use systemd units instead
+- Swap handling: swap entries in fstab are silently ignored, use swapon -a
+
+Addresses: https://issues.redhat.com/browse/RHEL-123527
+Signed-off-by: Karel Zak <kzak@redhat.com>
+---
+ sys-utils/mount.8.adoc | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/sys-utils/mount.8.adoc b/sys-utils/mount.8.adoc
+index 6e72d48c4..66ea7f61f 100644
+--- a/sys-utils/mount.8.adoc
++++ b/sys-utils/mount.8.adoc
+@@ -299,12 +299,16 @@ The *mount* command does not pass all command-line options to the **/sbin/mount.
+ Command-line options available for the *mount* command are:
+ 
+ *-a*, *--all*::
+-Mount all filesystems (of the given types) mentioned in _fstab_ (except for those whose line contains the *noauto* keyword). The filesystems are mounted following their order in _fstab_. The *mount* command compares filesystem source, target (and fs root for bind mount or btrfs) to detect already mounted filesystems. The kernel table with already mounted filesystems is cached during *mount --all*. This means that all duplicated _fstab_ entries will be mounted.
++Mount all filesystems (of the given types) mentioned in _fstab_ (except for those whose line contains the *noauto* keyword). This option was originally designed for use in init scripts. Note that many modern systemd-based distributions do not use *mount -a* on boot and instead mount filesystems in a more sophisticated way using systemd units.
+++
++The filesystems are mounted following their order in _fstab_. The *mount* command compares filesystem source, target (and fs root for bind mount or btrfs) to detect already mounted filesystems. The kernel table with already mounted filesystems is cached during *mount --all*. This means that all duplicated _fstab_ entries will be mounted.
+ +
+ The option *--all* is possible to use for remount operation too. In this case all filters (*-t* and *-O*) are applied to the table of already mounted filesystems.
+ +
+ Since version 2.35 is possible to use the command line option *-o* to alter mount options from _fstab_ (see also *--options-mode*).
+ +
++Note that swap entries in _fstab_ are silently ignored by *mount -a*. Use *swapon -a* to enable swap devices and files. See *swapon*(8).
+++
+ Note that it is a bad practice to use *mount -a* for _fstab_ checking. The recommended solution is *findmnt --verify*.
+ 
+ *-B*, *--bind*::
+-- 
+2.51.1
+
diff --git a/0086-libblkid-use-snprintf-instead-of-sprintf.patch b/0086-libblkid-use-snprintf-instead-of-sprintf.patch
new file mode 100644
index 0000000..2987d49
--- /dev/null
+++ b/0086-libblkid-use-snprintf-instead-of-sprintf.patch
@@ -0,0 +1,132 @@
+From ffcd2a314076d7e0df92d851480c313a823573a7 Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Mon, 10 Nov 2025 10:37:09 +0100
+Subject: libblkid: use snprintf() instead of sprintf()
+
+Replace sprintf() calls with snprintf() to ensure proper bounds
+checking when formatting strings.
+
+In encode.c, the check now validates snprintf() return value instead
+of pre-checking buffer size, providing more robust error handling.
+
+In save.c, snprintf() is used with size_t len variables to track
+buffer sizes for temporary and backup filename creation.
+
+In devname.c, snprintf() is used for both fixed-size buffers (with
+sizeof()) and dynamically allocated buffers (with size_t len
+variables).
+
+Addresses: https://issues.redhat.com/browse/RHEL-123531
+
+Signed-off-by: Karel Zak <kzak@redhat.com>
+---
+ libblkid/src/devname.c | 16 +++++++++-------
+ libblkid/src/encode.c  |  6 ++++--
+ libblkid/src/save.c    | 10 ++++++----
+ 3 files changed, 19 insertions(+), 13 deletions(-)
+
+diff --git a/libblkid/src/devname.c b/libblkid/src/devname.c
+index c541d30ba..a48a81a45 100644
+--- a/libblkid/src/devname.c
++++ b/libblkid/src/devname.c
+@@ -164,7 +164,7 @@ static int is_dm_leaf(const char *devname)
+ 		    strncmp(de->d_name, "dm-", 3) != 0 ||
+ 		    strlen(de->d_name) > sizeof(path)-32)
+ 			continue;
+-		sprintf(path, "/sys/block/%s/slaves", de->d_name);
++		snprintf(path, sizeof(path), "/sys/block/%s/slaves", de->d_name);
+ 		if ((d_dir = opendir(path)) == NULL)
+ 			continue;
+ 		while ((d_de = readdir(d_dir)) != NULL) {
+@@ -321,14 +321,16 @@ static void lvm_probe_all(blkid_cache cache, int only_if_new)
+ 		char		*vdirname;
+ 		char		*vg_name;
+ 		struct dirent	*lv_iter;
++		size_t		len;
+ 
+ 		vg_name = vg_iter->d_name;
+ 		if (!strcmp(vg_name, ".") || !strcmp(vg_name, ".."))
+ 			continue;
+-		vdirname = malloc(vg_len + strlen(vg_name) + 8);
++		len = vg_len + strlen(vg_name) + 8;
++		vdirname = malloc(len);
+ 		if (!vdirname)
+ 			goto exit;
+-		sprintf(vdirname, "%s/%s/LVs", VG_DIR, vg_name);
++		snprintf(vdirname, len, "%s/%s/LVs", VG_DIR, vg_name);
+ 
+ 		lv_list = opendir(vdirname);
+ 		free(vdirname);
+@@ -342,16 +344,16 @@ static void lvm_probe_all(blkid_cache cache, int only_if_new)
+ 			if (!strcmp(lv_name, ".") || !strcmp(lv_name, ".."))
+ 				continue;
+ 
+-			lvm_device = malloc(vg_len + strlen(vg_name) +
+-					    strlen(lv_name) + 8);
++			len = vg_len + strlen(vg_name) + strlen(lv_name) + 8;
++			lvm_device = malloc(len);
+ 			if (!lvm_device) {
+ 				closedir(lv_list);
+ 				goto exit;
+ 			}
+-			sprintf(lvm_device, "%s/%s/LVs/%s", VG_DIR, vg_name,
++			snprintf(lvm_device, len, "%s/%s/LVs/%s", VG_DIR, vg_name,
+ 				lv_name);
+ 			dev = lvm_get_devno(lvm_device);
+-			sprintf(lvm_device, "%s/%s", vg_name, lv_name);
++			snprintf(lvm_device, len, "%s/%s", vg_name, lv_name);
+ 			DBG(DEVNAME, ul_debug("Probe LVM dev %s: devno 0x%04X",
+ 						  lvm_device,
+ 						  (unsigned int) dev));
+diff --git a/libblkid/src/encode.c b/libblkid/src/encode.c
+index 9c2220428..d79865a76 100644
+--- a/libblkid/src/encode.c
++++ b/libblkid/src/encode.c
+@@ -263,9 +263,11 @@ int blkid_encode_string(const char *str, char *str_enc, size_t len)
+ 			j += seqlen;
+ 			i += (seqlen-1);
+ 		} else if (str[i] == '\\' || !is_whitelisted(str[i], NULL)) {
+-			if (len-j < 4)
++			int rc;
++
++			rc = snprintf(&str_enc[j], len-j, "\\x%02x", (unsigned char) str[i]);
++			if (rc != 4)
+ 				goto err;
+-			sprintf(&str_enc[j], "\\x%02x", (unsigned char) str[i]);
+ 			j += 4;
+ 		} else {
+ 			if (len-j < 1)
+diff --git a/libblkid/src/save.c b/libblkid/src/save.c
+index 9a342c69c..1a617c072 100644
+--- a/libblkid/src/save.c
++++ b/libblkid/src/save.c
+@@ -128,9 +128,10 @@ int blkid_flush_cache(blkid_cache cache)
+ 	 * a temporary file then we open it directly.
+ 	 */
+ 	if (ret == 0 && S_ISREG(st.st_mode)) {
+-		tmp = malloc(strlen(filename) + 8);
++		size_t len = strlen(filename) + 8;
++		tmp = malloc(len);
+ 		if (tmp) {
+-			sprintf(tmp, "%s-XXXXXX", filename);
++			snprintf(tmp, len, "%s-XXXXXX", filename);
+ 			fd = mkstemp_cloexec(tmp);
+ 			if (fd >= 0) {
+ 				if (fchmod(fd, 0644) != 0)
+@@ -178,10 +179,11 @@ int blkid_flush_cache(blkid_cache cache)
+ 			DBG(SAVE, ul_debug("unlinked temp cache %s", opened));
+ 		} else {
+ 			char *backup;
++			size_t len = strlen(filename) + 5;
+ 
+-			backup = malloc(strlen(filename) + 5);
++			backup = malloc(len);
+ 			if (backup) {
+-				sprintf(backup, "%s.old", filename);
++				snprintf(backup, len, "%s.old", filename);
+ 				unlink(backup);
+ 				if (link(filename, backup)) {
+ 					DBG(SAVE, ul_debug("can't link %s to %s",
+-- 
+2.51.1
+
diff --git a/0087-libfdisk-dos-fix-off-by-one-in-maximum-last-sector-c.patch b/0087-libfdisk-dos-fix-off-by-one-in-maximum-last-sector-c.patch
new file mode 100644
index 0000000..0f27c4e
--- /dev/null
+++ b/0087-libfdisk-dos-fix-off-by-one-in-maximum-last-sector-c.patch
@@ -0,0 +1,46 @@
+From d1ae8502f423420320b0a7d2656a3a0cc41f2416 Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Thu, 30 Oct 2025 12:11:43 +0100
+Subject: libfdisk: (dos) fix off-by-one in maximum last sector calculation
+
+The get_disk_ranges() function incorrectly capped the last usable
+sector at UINT_MAX, which could cause an overflow when calculating
+partition size for MBR partition tables.
+
+MBR stores partition size as a 32-bit value with maximum UINT_MAX.
+The partition size is calculated as: size = stop - start + 1
+
+For a partition starting at sector 0:
+- If stop = UINT_MAX: size = UINT_MAX + 1 (overflow!)
+- If stop = UINT_MAX - 1: size = UINT_MAX (correct maximum)
+
+This fixes the inconsistency where dos_init() correctly warns about
+disks larger than UINT_MAX sectors (2TiB - 512 bytes for 512-byte
+sectors), but get_disk_ranges() allowed creating partitions that
+would overflow the 32-bit size field.
+
+Addresses: https://issues.redhat.com/browse/RHEL-123536
+Signed-off-by: Karel Zak <kzak@redhat.com>
+(cherry picked from commit 578923fe582903628ecc0d2a434af0affa3660d2)
+---
+ libfdisk/src/dos.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libfdisk/src/dos.c b/libfdisk/src/dos.c
+index 5d93e09b8..e6e0e757c 100644
+--- a/libfdisk/src/dos.c
++++ b/libfdisk/src/dos.c
+@@ -1145,8 +1145,8 @@ static int get_disk_ranges(struct fdisk_context *cxt, int logical,
+ 		else
+ 			*last = cxt->total_sectors - 1;
+ 
+-		if (*last > UINT_MAX)
+-			*last = UINT_MAX;
++		if (*last >= UINT_MAX)
++			*last = UINT_MAX - 1;
+ 		*first = cxt->first_lba;
+ 	}
+ 
+-- 
+2.51.1
+
diff --git a/util-linux.spec b/util-linux.spec
index 6090337..7b0134b 100644
--- a/util-linux.spec
+++ b/util-linux.spec
@@ -2,7 +2,7 @@
 Summary: A collection of basic system utilities
 Name: util-linux
 Version: 2.37.4
-Release: 22%{?dist}
+Release: 23%{?dist}
 License: GPLv2 and GPLv2+ and LGPLv2+ and BSD with advertising and Public Domain
 URL: http://en.wikipedia.org/wiki/Util-linux
 
@@ -242,7 +242,12 @@ Patch82: 0082-sulogin-fix-POSIX-locale-use.patch
 Patch83: 0083-lscpu-update-ARM-identifiers.patch
 # RHEL-108386 - libblkid: (jmicron_raid) backport checksum verification
 Patch84: 0084-libblkid-jmicron_raid-backport-checksum-verification.patch
-
+# RHEL-123527 - mount: improve --all documentation
+Patch85: 0085-mount-improve-all-documentation.patch
+# RHEL-123531 - libblkid: use snprintf() instead of sprintf()
+Patch86: 0086-libblkid-use-snprintf-instead-of-sprintf.patch
+# RHEL-123536 - libfdisk: (dos) fix off-by-one in maximum last sector calculation
+Patch87: 0087-libfdisk-dos-fix-off-by-one-in-maximum-last-sector-c.patch
 
 %description
 The util-linux package contains a large variety of low-level system
@@ -1077,6 +1082,11 @@ fi
 %{_libdir}/python*/site-packages/libmount/
 
 %changelog
+* Mon Nov 10 2025 Karel Zak <kzak@redhat.com> 2.37.4-23
+- fix RHEL-123527 - mount: improve --all documentation
+- fix RHEL-123531 - libblkid: use snprintf() instead of sprintf()
+- fix RHEL-123536 - libfdisk: (dos) fix off-by-one in maximum last sector calculation
+
 * Mon Oct 13 2025 Karel Zak <kzak@redhat.com> 2.37.4-22
 - fix RHEL-113638 - lscpu: update ARM identifiers
 - fix RHEL-108386 - libblkid: (jmicron_raid) backport checksum verification