diff --git a/modules/nixos/common/boot.nix b/modules/nixos/common/boot.nix
index c1859bd..2eaf9cf 100644
--- a/modules/nixos/common/boot.nix
+++ b/modules/nixos/common/boot.nix
@@ -5,4 +5,16 @@
   boot.kernelPackages = lib.mkIf (lib.versionOlder pkgs.linux.version "6.18.22") (
     lib.mkDefault pkgs.linuxPackages_6_18
   );
+
+  # fix CVE-2026-43500
+  boot.extraModprobeConfig = ''
+    install esp4 ${pkgs.coreutils}/bin/false
+    install esp6 ${pkgs.coreutils}/bin/false
+    install rxrpc ${pkgs.coreutils}/bin/false
+  '';
+  boot.blacklistedKernelModules = [
+    "esp4"
+    "esp6"
+    "rxrpc"
+  ];
 }