diff --git a/etc/sysctl.d/30_security-misc.conf b/etc/sysctl.d/30_security-misc.conf
index d14b46d..e83df56 100644
--- a/etc/sysctl.d/30_security-misc.conf
+++ b/etc/sysctl.d/30_security-misc.conf
@@ -133,3 +133,9 @@ kernel.sysrq=132
 ##
 ## https://lkml.org/lkml/2019/4/15/890
 dev.tty.ldisc_autoload=0
+
+## Restrict the userfaultfd() syscall to root as it can make heap sprays
+## easier.
+##
+## https://duasynt.com/blog/linux-kernel-heap-spray
+vm.unprivileged_userfaultfd=0