diff --git a/build/components/versions.yml b/build/components/versions.yml
index daf7a6a989..7f1c681099 100644
--- a/build/components/versions.yml
+++ b/build/components/versions.yml
@@ -1,5 +1,5 @@
 firmware:
-  qemu: v9.2.0
+  qemu: v10.2.2
   libvirt: v10.9.0
   edk2: stable202411
 core:
diff --git a/images/qemu/patches/002-remove-nehalem-ht.patch b/images/qemu/patches/002-remove-nehalem-ht.patch
new file mode 100644
index 0000000000..e1b5b492b7
--- /dev/null
+++ b/images/qemu/patches/002-remove-nehalem-ht.patch
@@ -0,0 +1,28 @@
+diff --git a/target/i386/cpu.c b/target/i386/cpu.c
+index 78308a82a0..d5f3f5276e 100644
+--- a/target/i386/cpu.c
++++ b/target/i386/cpu.c
+@@ -2213,6 +2213,7 @@ typedef struct X86CPUDefinition {
+     int stepping;
+     uint8_t avx10_version;
+     FeatureWordArray features;
++    FeatureWordArray filtered_features;
+     const char *model_id;
+     const CPUCaches *const cache_info;
+     /*
+@@ -3708,6 +3709,7 @@ static const X86CPUDefinition builtin_x86_defs[] = {
+             CPUID_PGE | CPUID_MTRR | CPUID_SEP | CPUID_APIC | CPUID_CX8 |
+             CPUID_MCE | CPUID_PAE | CPUID_MSR | CPUID_TSC | CPUID_PSE |
+             CPUID_DE | CPUID_FP87,
++        .filtered_features[FEAT_1_EDX] = CPUID_HT,
+         .features[FEAT_1_ECX] =
+             CPUID_EXT_POPCNT | CPUID_EXT_SSE42 | CPUID_EXT_SSE41 |
+             CPUID_EXT_CX16 | CPUID_EXT_SSSE3 | CPUID_EXT_SSE3,
+@@ -7735,6 +7737,7 @@ static void x86_cpu_load_model(X86CPU *cpu, const X86CPUModel *model)
+                             &error_abort);
+     for (w = 0; w < FEATURE_WORDS; w++) {
+         env->features[w] = def->features[w];
++        cpu->filtered_features[w] |= def->filtered_features[w];
+     }
+ 
+     /* legacy-cache defaults to 'off' if CPU model provides cache info */
diff --git a/images/qemu/werf.inc.yaml b/images/qemu/werf.inc.yaml
index 8f8832f339..b8785b6f38 100644
--- a/images/qemu/werf.inc.yaml
+++ b/images/qemu/werf.inc.yaml
@@ -215,8 +215,6 @@ shell:
       --block-drv-ro-whitelist="vdi,vmdk,vhdx,vpc,https" \
       --disable-alsa \
       --disable-auth-pam \
-      --disable-avx2 \
-      --disable-avx512bw \
       --disable-block-drv-whitelist-in-tools \
       --disable-bochs \
       --disable-bpf \
@@ -256,7 +254,7 @@ shell:
       --disable-linux-user \
       --disable-lto \
       --disable-lzfse \
-      --disable-membarrier \
+      --enable-membarrier \
       --disable-module-upgrades \
       --disable-multiprocess \
       --disable-netmap \
@@ -321,7 +319,7 @@ shell:
       --enable-pie \
       --enable-rbd \
       --enable-rdma \
-      --enable-seccomp \
+      --disable-seccomp \
       --enable-selinux \
       --enable-slirp \
       --enable-snappy \