{ lib, pkgs, ... }:

{
  boot = {
    # fix CVE-2026-31431
    kernelPackages = lib.mkIf (lib.versionOlder pkgs.linux.version "6.18.22") (lib.mkDefault pkgs.linuxPackages_6_18);

    # fix CVE-2026-43500
    extraModprobeConfig = ''
      install esp4 ${pkgs.coreutils}/bin/false
      install esp6 ${pkgs.coreutils}/bin/false
      install rxrpc ${pkgs.coreutils}/bin/false
    '';
    blacklistedKernelModules = [
      "esp4"
      "esp6"
      "rxrpc"
    ];
  };
}