diff --git a/.mergify.yml b/.mergify.yml
index 28efa4c2c534..45938a112319 100644
--- a/.mergify.yml
+++ b/.mergify.yml
@@ -15,111 +15,6 @@ pull_request_rules:
       comment:
         message: Hi @{{author}}, this pull request was opened against a release branch, is it expected? Normally patches should go in the master branch first and then be backported to release branches.
 
-  # release-1.11 branch
-  - name: automerge backport release-1.11
-    conditions:
-      - author=mergify[bot]
-      - base=release-1.11
-      - label!=do-not-merge
-      - "status-success=DCO"
-      - "check-success=linux-build-all (1.19)"
-      - "check-success=unittests"
-      - "check-success=golangci-lint"
-      - "check-success=codegen"
-      - "check-success=codespell"
-      - "check-success=lint"
-      - "check-success=modcheck"
-      - "check-success=Shellcheck"
-      - "check-success=yaml-linter"
-      - "check-success=lint-test"
-      - "check-success=gen-rbac"
-      - "check-success=crds-gen"
-      - "check-success=docs-check"
-      - "check-success=pylint"
-      - "check-success=canary"
-      - "check-success=raw-disk"
-      - "check-success=two-osds-in-device"
-      - "check-success=osd-with-metadata-device"
-      - "check-success=encryption"
-      - "check-success=lvm"
-      - "check-success=pvc"
-      - "check-success=pvc-db"
-      - "check-success=pvc-db-wal"
-      - "check-success=encryption-pvc"
-      - "check-success=encryption-pvc-db"
-      - "check-success=encryption-pvc-db-wal"
-      - "check-success=encryption-pvc-kms-vault-token-auth"
-      - "check-success=encryption-pvc-kms-vault-k8s-auth"
-      - "check-success=lvm-pvc"
-      - "check-success=rgw-multisite-testing"
-      - "check-success=TestCephSmokeSuite (v1.21.14)"
-      - "check-success=TestCephSmokeSuite (v1.26.1)"
-      - "check-success=TestCephHelmSuite (v1.21.14)"
-      - "check-success=TestCephHelmSuite (v1.26.1)"
-      - "check-success=TestCephMultiClusterDeploySuite (v1.26.1)"
-      - "check-success=TestCephUpgradeSuite (v1.21.14)"
-      - "check-success=TestCephUpgradeSuite (v1.26.1)"
-      - "check-success=TestHelmUpgradeSuite (v1.21.14)"
-      - "check-success=TestHelmUpgradeSuite (v1.26.1)"
-    actions:
-      merge:
-        method: merge
-      dismiss_reviews: {}
-      delete_head_branch: {}
-
-  # release-1.12 branch
-  - name: automerge backport release-1.12
-    conditions:
-      - author=mergify[bot]
-      - base=release-1.12
-      - label!=do-not-merge
-      - "status-success=DCO"
-      - "check-success=linux-build-all (1.21)"
-      - "check-success=unittests"
-      - "check-success=golangci-lint"
-      - "check-success=codegen"
-      - "check-success=codespell"
-      - "check-success=lint"
-      - "check-success=modcheck"
-      - "check-success=Shellcheck"
-      - "check-success=yaml-linter"
-      - "check-success=lint-test"
-      - "check-success=gen-rbac"
-      - "check-success=crds-gen"
-      - "check-success=docs-check"
-      - "check-success=pylint"
-      - "check-success=canary"
-      - "check-success=raw-disk"
-      - "check-success=two-osds-in-device"
-      - "check-success=osd-with-metadata-device"
-      - "check-success=encryption"
-      - "check-success=lvm"
-      - "check-success=pvc"
-      - "check-success=pvc-db"
-      - "check-success=pvc-db-wal"
-      - "check-success=encryption-pvc"
-      - "check-success=encryption-pvc-db"
-      - "check-success=encryption-pvc-db-wal"
-      - "check-success=encryption-pvc-kms-vault-token-auth"
-      - "check-success=encryption-pvc-kms-vault-k8s-auth"
-      - "check-success=lvm-pvc"
-      - "check-success=rgw-multisite-testing"
-      - "check-success=TestCephSmokeSuite (v1.22.17)"
-      - "check-success=TestCephSmokeSuite (v1.28.0)"
-      - "check-success=TestCephHelmSuite (v1.22.17)"
-      - "check-success=TestCephHelmSuite (v1.28.0)"
-      - "check-success=TestCephMultiClusterDeploySuite (v1.28.0)"
-      - "check-success=TestCephObjectSuite (v1.27.2)"
-      - "check-success=TestCephUpgradeSuite (v1.22.17)"
-      - "check-success=TestCephUpgradeSuite (v1.28.0)"
-      - "check-success=TestHelmUpgradeSuite (v1.22.17)"
-      - "check-success=TestHelmUpgradeSuite (v1.28.0)"
-    actions:
-      merge:
-        method: merge
-      dismiss_reviews: {}
-      delete_head_branch: {}
-
   # release-1.13 branch
   - name: automerge backport release-1.13
     conditions:
@@ -291,23 +186,64 @@ pull_request_rules:
       dismiss_reviews: {}
       delete_head_branch: {}
 
-  # release-1.11 branch
-  - actions:
-      backport:
-        branches:
-          - release-1.11
+  # release-1.16 branch
+  - name: automerge backport release-1.16
     conditions:
-      - label=backport-release-1.11
-    name: backport release-1.11
-
-  # release-1.12 branch
-  - actions:
-      backport:
-        branches:
-          - release-1.12
-    conditions:
-      - label=backport-release-1.12
-    name: backport release-1.12
+      - author=mergify[bot]
+      - base=release-1.16
+      - label!=do-not-merge
+      - "status-success=DCO"
+      - "check-success=linux-build-all (1.22)"
+      - "check-success=unittests"
+      - "check-success=golangci-lint"
+      - "check-success=codegen"
+      - "check-success=codespell"
+      - "check-success=lint"
+      - "check-success=modcheck"
+      - "check-success=Shellcheck"
+      - "check-success=yaml-linter"
+      - "check-success=lint-test"
+      - "check-success=gen-rbac"
+      - "check-success=crds-gen"
+      - "check-success=docs-check"
+      - "check-success=pylint"
+      - "check-success=canary-tests / canary (quay.io/ceph/ceph:v18)"
+      - "check-success=canary-tests / raw-disk-with-object (quay.io/ceph/ceph:v18)"
+      - "check-success=canary-tests / two-osds-in-device (quay.io/ceph/ceph:v18)"
+      - "check-success=canary-tests / osd-with-metadata-partition-device (quay.io/ceph/ceph:v18)"
+      - "check-success=canary-tests / osd-with-metadata-device (quay.io/ceph/ceph:v18)"
+      - "check-success=canary-tests / encryption (quay.io/ceph/ceph:v18)"
+      - "check-success=canary-tests / lvm (quay.io/ceph/ceph:v18)"
+      - "check-success=canary-tests / pvc (quay.io/ceph/ceph:v18)"
+      - "check-success=canary-tests / pvc-db (quay.io/ceph/ceph:v18)"
+      - "check-success=canary-tests / pvc-db-wal (quay.io/ceph/ceph:v18)"
+      - "check-success=canary-tests / encryption-pvc (quay.io/ceph/ceph:v18)"
+      - "check-success=canary-tests / encryption-pvc-db (quay.io/ceph/ceph:v18)"
+      - "check-success=canary-tests / encryption-pvc-db-wal (quay.io/ceph/ceph:v18)"
+      - "check-success=canary-tests / encryption-pvc-kms-vault-token-auth (quay.io/ceph/ceph:v18)"
+      - "check-success=canary-tests / encryption-pvc-kms-vault-k8s-auth (quay.io/ceph/ceph:v18)"
+      - "check-success=canary-tests / lvm-pvc (quay.io/ceph/ceph:v18)"
+      - "check-success=canary-tests / multi-cluster-mirroring (quay.io/ceph/ceph:v18)"
+      - "check-success=canary-tests / rgw-multisite-testing (quay.io/ceph/ceph:v18)"
+      - "check-success=canary-tests / encryption-pvc-kms-ibm-kp (quay.io/ceph/ceph:v18)"
+      - "check-success=canary-tests / multus-public-and-cluster (quay.io/ceph/ceph:v18)"
+      - "check-success=canary-tests / csi-hostnetwork-disabled (quay.io/ceph/ceph:v18)"
+      - "check-success=TestCephSmokeSuite (v1.27.16)"
+      - "check-success=TestCephSmokeSuite (v1.31.0)"
+      - "check-success=TestCephHelmSuite (v1.27.16)"
+      - "check-success=TestCephHelmSuite (v1.31.0)"
+      - "check-success=TestCephMultiClusterDeploySuite (v1.31.0)"
+      - "check-success=TestCephObjectSuite (v1.27.16)"
+      - "check-success=TestCephObjectSuite (v1.31.0)"
+      - "check-success=TestCephUpgradeSuite (v1.27.16)"
+      - "check-success=TestCephUpgradeSuite (v1.31.0)"
+      - "check-success=TestHelmUpgradeSuite (v1.27.16)"
+      - "check-success=TestHelmUpgradeSuite (v1.31.0)"
+    actions:
+      merge:
+        method: merge
+      dismiss_reviews: {}
+      delete_head_branch: {}
 
   # release-1.13 branch
   - actions:
@@ -335,3 +271,12 @@ pull_request_rules:
     conditions:
       - label=backport-release-1.15
     name: backport release-1.15
+
+  # release-1.16 branch
+  - actions:
+      backport:
+        branches:
+          - release-1.16
+    conditions:
+      - label=backport-release-1.16
+    name: backport release-1.16
diff --git a/Documentation/Helm-Charts/operator-chart.md b/Documentation/Helm-Charts/operator-chart.md
index 7fc7ec887b3b..2fc1f37c0716 100644
--- a/Documentation/Helm-Charts/operator-chart.md
+++ b/Documentation/Helm-Charts/operator-chart.md
@@ -60,7 +60,7 @@ The following table lists the configurable parameters of the rook-operator chart
 | `csi.cephFSPluginUpdateStrategy` | CSI CephFS plugin daemonset update strategy, supported values are OnDelete and RollingUpdate | `RollingUpdate` |
 | `csi.cephFSPluginUpdateStrategyMaxUnavailable` | A maxUnavailable parameter of CSI cephFS plugin daemonset update strategy. | `1` |
 | `csi.cephcsi.repository` | Ceph CSI image repository | `"quay.io/cephcsi/cephcsi"` |
-| `csi.cephcsi.tag` | Ceph CSI image tag | `"v3.12.2"` |
+| `csi.cephcsi.tag` | Ceph CSI image tag | `"v3.12.3"` |
 | `csi.cephfsLivenessMetricsPort` | CSI CephFS driver metrics port | `9081` |
 | `csi.cephfsPodLabels` | Labels to add to the CSI CephFS Deployments and DaemonSets Pods | `nil` |
 | `csi.clusterName` | Cluster name identifier to set as metadata on the CephFS subvolume and RBD images. This will be useful in cases like for example, when two container orchestrator clusters (Kubernetes/OCP) are using a single ceph cluster | `nil` |
diff --git a/Documentation/Storage-Configuration/Ceph-CSI/ceph-csi-drivers.md b/Documentation/Storage-Configuration/Ceph-CSI/ceph-csi-drivers.md
index d06bb58ae9d4..b812ff173e67 100644
--- a/Documentation/Storage-Configuration/Ceph-CSI/ceph-csi-drivers.md
+++ b/Documentation/Storage-Configuration/Ceph-CSI/ceph-csi-drivers.md
@@ -217,10 +217,10 @@ CSI-Addons supports the following operations:
 
 Ceph-CSI supports encrypting PersistentVolumeClaims (PVCs) for both RBD and CephFS.
 This can be achieved using LUKS for RBD and fscrypt for CephFS. More details on encrypting RBD PVCs can be found
-[here](https://github.com/ceph/ceph-csi/blob/v3.12.2/docs/deploy-rbd.md#encryption-for-rbd-volumes),
+[here](https://github.com/ceph/ceph-csi/blob/v3.12.3/docs/deploy-rbd.md#encryption-for-rbd-volumes),
 which includes a full list of supported encryption configurations.
-More details on encrypting CephFS PVCs can be found [here](https://github.com/ceph/ceph-csi/blob/v3.12.2/docs/deploy-cephfs.md#cephfs-volume-encryption).
-A sample KMS configmap can be found [here](https://github.com/ceph/ceph-csi/blob/v3.12.2/examples/kms/vault/kms-config.yaml).
+More details on encrypting CephFS PVCs can be found [here](https://github.com/ceph/ceph-csi/blob/v3.12.3/docs/deploy-cephfs.md#cephfs-volume-encryption).
+A sample KMS configmap can be found [here](https://github.com/ceph/ceph-csi/blob/v3.12.3/examples/kms/vault/kms-config.yaml).
 
 !!! note
     Not all KMS are compatible with fscrypt. Generally, KMS that either store secrets to use directly (like Vault)
diff --git a/Documentation/Storage-Configuration/Ceph-CSI/custom-images.md b/Documentation/Storage-Configuration/Ceph-CSI/custom-images.md
index 86beab48d9a1..3e483a908a57 100644
--- a/Documentation/Storage-Configuration/Ceph-CSI/custom-images.md
+++ b/Documentation/Storage-Configuration/Ceph-CSI/custom-images.md
@@ -18,7 +18,7 @@ kubectl -n $ROOK_OPERATOR_NAMESPACE edit configmap rook-ceph-operator-config
 The default upstream images are included below, which you can change to your desired images.
 
 ```yaml
-ROOK_CSI_CEPH_IMAGE: "quay.io/cephcsi/cephcsi:v3.12.2"
+ROOK_CSI_CEPH_IMAGE: "quay.io/cephcsi/cephcsi:v3.12.3"
 ROOK_CSI_REGISTRAR_IMAGE: "registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.11.1"
 ROOK_CSI_PROVISIONER_IMAGE: "registry.k8s.io/sig-storage/csi-provisioner:v5.0.1"
 ROOK_CSI_ATTACHER_IMAGE: "registry.k8s.io/sig-storage/csi-attacher:v4.6.1"
diff --git a/deploy/charts/rook-ceph/values.yaml b/deploy/charts/rook-ceph/values.yaml
index 8b5ceb82f197..c6bdda1f7238 100644
--- a/deploy/charts/rook-ceph/values.yaml
+++ b/deploy/charts/rook-ceph/values.yaml
@@ -480,7 +480,7 @@ csi:
     # -- Ceph CSI image repository
     repository: quay.io/cephcsi/cephcsi
     # -- Ceph CSI image tag
-    tag: v3.12.2
+    tag: v3.12.3
 
   registrar:
     # -- Kubernetes CSI registrar image repository
diff --git a/deploy/examples/images.txt b/deploy/examples/images.txt
index b84f8adbdd97..d8c62fdfef73 100644
--- a/deploy/examples/images.txt
+++ b/deploy/examples/images.txt
@@ -2,7 +2,7 @@
  gcr.io/k8s-staging-sig-storage/objectstorage-sidecar:v20240513-v0.1.0-35-gefb3255
  quay.io/ceph/ceph:v18.2.4
  quay.io/ceph/cosi:v0.1.2
- quay.io/cephcsi/cephcsi:v3.12.2
+ quay.io/cephcsi/cephcsi:v3.12.3
  quay.io/csiaddons/k8s-sidecar:v0.10.0
  registry.k8s.io/sig-storage/csi-attacher:v4.6.1
  registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.11.1
diff --git a/deploy/examples/operator-openshift.yaml b/deploy/examples/operator-openshift.yaml
index 1186fd1841b9..23d69fb09564 100644
--- a/deploy/examples/operator-openshift.yaml
+++ b/deploy/examples/operator-openshift.yaml
@@ -189,7 +189,7 @@ data:
   # The default version of CSI supported by Rook will be started. To change the version
   # of the CSI driver to something other than what is officially supported, change
   # these images to the desired release of the CSI driver.
-  # ROOK_CSI_CEPH_IMAGE: "quay.io/cephcsi/cephcsi:v3.12.2"
+  # ROOK_CSI_CEPH_IMAGE: "quay.io/cephcsi/cephcsi:v3.12.3"
   # ROOK_CSI_REGISTRAR_IMAGE: "registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.11.1"
   # ROOK_CSI_RESIZER_IMAGE: "registry.k8s.io/sig-storage/csi-resizer:v1.11.1"
   # ROOK_CSI_PROVISIONER_IMAGE: "registry.k8s.io/sig-storage/csi-provisioner:v5.0.1"
diff --git a/deploy/examples/operator.yaml b/deploy/examples/operator.yaml
index b11549be5d32..75d92b585afc 100644
--- a/deploy/examples/operator.yaml
+++ b/deploy/examples/operator.yaml
@@ -119,7 +119,7 @@ data:
   # The default version of CSI supported by Rook will be started. To change the version
   # of the CSI driver to something other than what is officially supported, change
   # these images to the desired release of the CSI driver.
-  # ROOK_CSI_CEPH_IMAGE: "quay.io/cephcsi/cephcsi:v3.12.2"
+  # ROOK_CSI_CEPH_IMAGE: "quay.io/cephcsi/cephcsi:v3.12.3"
   # ROOK_CSI_REGISTRAR_IMAGE: "registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.11.1"
   # ROOK_CSI_RESIZER_IMAGE: "registry.k8s.io/sig-storage/csi-resizer:v1.11.1"
   # ROOK_CSI_PROVISIONER_IMAGE: "registry.k8s.io/sig-storage/csi-provisioner:v5.0.1"
diff --git a/pkg/operator/ceph/csi/spec.go b/pkg/operator/ceph/csi/spec.go
index 0f587270f848..ae84d8df076c 100644
--- a/pkg/operator/ceph/csi/spec.go
+++ b/pkg/operator/ceph/csi/spec.go
@@ -131,7 +131,7 @@ var (
 // manually challenging.
 var (
 	// image names
-	DefaultCSIPluginImage   = "quay.io/cephcsi/cephcsi:v3.12.2"
+	DefaultCSIPluginImage   = "quay.io/cephcsi/cephcsi:v3.12.3"
 	DefaultRegistrarImage   = "registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.11.1"
 	DefaultProvisionerImage = "registry.k8s.io/sig-storage/csi-provisioner:v5.0.1"
 	DefaultAttacherImage    = "registry.k8s.io/sig-storage/csi-attacher:v4.6.1"
diff --git a/pkg/operator/ceph/csi/util_test.go b/pkg/operator/ceph/csi/util_test.go
index 3c8afc0ba40d..2e974a1d0f3d 100644
--- a/pkg/operator/ceph/csi/util_test.go
+++ b/pkg/operator/ceph/csi/util_test.go
@@ -284,7 +284,7 @@ func Test_getImage(t *testing.T) {
 			args: args{
 				data:         map[string]string{},
 				settingName:  "ROOK_CSI_CEPH_IMAGE",
-				defaultImage: "quay.io/cephcsi/cephcsi:v3.12.2",
+				defaultImage: "quay.io/cephcsi/cephcsi:v3.12.3",
 			},
 			want: DefaultCSIPluginImage,
 		},