diff --git a/modules/nixos/base/kernel-hardening.nix b/modules/nixos/base/kernel-hardening.nix
new file mode 100644
index 00000000..7f05ac51
--- /dev/null
+++ b/modules/nixos/base/kernel-hardening.nix
@@ -0,0 +1,20 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  # Kernel module blacklisting to mitigate Dirty Frag LPE (Local Privilege Escalation) vulnerabilities.
+  boot.blacklistedKernelModules = [
+    "esp4"
+    "esp6"
+    "rxrpc"
+  ];
+
+  boot.extraModprobeConfig = ''
+    install esp4 ${pkgs.coreutils}/bin/false
+    install esp6 ${pkgs.coreutils}/bin/false
+    install rxrpc ${pkgs.coreutils}/bin/false
+  '';
+}