diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg
index ed6039c..f3d6487 100644
--- a/etc/default/grub.d/40_kernel_hardening.cfg
+++ b/etc/default/grub.d/40_kernel_hardening.cfg
@@ -29,6 +29,10 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none"
 ## Enables page allocator freelist randomization.
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1"
 
+## Enables randomisation of the kernel stack offset on syscall entries (introduced in kernel 5.13).
+## https://lkml.org/lkml/2019/3/18/246
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX randomize_kstack_offset=on"
+
 ## Enables kernel lockdown.
 ##
 ## Disabled for now as it enforces module signature verification which breaks