From 997c4a98dc474a6511a3c61799f1cc305e662195 Mon Sep 17 00:00:00 2001
From: sid <sid@sid.ovh>
Date: Sat, 9 May 2026 08:39:38 +0200
Subject: [PATCH] fix CVE-2026-43500

---
 modules/nixos/common/boot.nix | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/modules/nixos/common/boot.nix b/modules/nixos/common/boot.nix
index c1859bd..2eaf9cf 100644
--- a/modules/nixos/common/boot.nix
+++ b/modules/nixos/common/boot.nix
@@ -5,4 +5,16 @@
   boot.kernelPackages = lib.mkIf (lib.versionOlder pkgs.linux.version "6.18.22") (
     lib.mkDefault pkgs.linuxPackages_6_18
   );
+
+  # fix CVE-2026-43500
+  boot.extraModprobeConfig = ''
+    install esp4 ${pkgs.coreutils}/bin/false
+    install esp6 ${pkgs.coreutils}/bin/false
+    install rxrpc ${pkgs.coreutils}/bin/false
+  '';
+  boot.blacklistedKernelModules = [
+    "esp4"
+    "esp6"
+    "rxrpc"
+  ];
 }
-- 
2.51.2