From fae6b251375ae49320a96ac8177fba587d554d17 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matej=20Jane=C5=BEi=C4=8D?= <janezic.mj@gmail.com>
Date: Sat, 9 May 2026 23:22:35 +0200
Subject: [PATCH] temp: dirty-frag (CVE-2026-43284, CVE-2026-43500)

---
 lib/mkHost.nix | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/lib/mkHost.nix b/lib/mkHost.nix
index c8d522c..8205b6d 100644
--- a/lib/mkHost.nix
+++ b/lib/mkHost.nix
@@ -87,6 +87,11 @@ nixpkgs.lib.nixosSystem {
     { nixpkgs.config.allowUnfree = true; }
     { networking.hostName = name; }
 
+    # TEMP:(@janezicmatej) temporary mitigation for dirty frag
+    # blocks esp4/esp6 (CVE-2026-43284) and rxrpc (CVE-2026-43500)
+    # remove once nixpkgs ships a kernel with f4c50a4034e6 and the rxrpc fix
+    { boot.blacklistedKernelModules = [ "esp4" "esp6" "rxrpc" ]; }
+
     featureEnableModule
     hostConfig
   ]