temp: dirty-frag (CVE-2026-43284, CVE-2026-43500)

2026-05-09 23:22:35 +02:00
parent 4a59f6b57c
commit fae6b25137
1 changed files with 5 additions and 0 deletions
--- a/lib/mkHost.nix
+++ b/lib/mkHost.nix
@@ -87,6 +87,11 @@ nixpkgs.lib.nixosSystem {
    { nixpkgs.config.allowUnfree = true; }
    { networking.hostName = name; }

+    # TEMP:(@janezicmatej) temporary mitigation for dirty frag
+    # blocks esp4/esp6 (CVE-2026-43284) and rxrpc (CVE-2026-43500)
+    # remove once nixpkgs ships a kernel with f4c50a4034e6 and the rxrpc fix
+    { boot.blacklistedKernelModules = [ "esp4" "esp6" "rxrpc" ]; }
+
    featureEnableModule
    hostConfig
  ]