diff --git a/debian/changelog b/debian/changelog
index a17c336d7..8b302019c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -30,6 +30,8 @@ linux-2.6 (2.6.25~rc5-1~experimental.1) UNRELEASED; urgency=low
   * Tighten yaird dependency. (closes: #403171)
   * Configs general cleanup, centralize USB_NET, disable IRDA_DEBUG.
   * postinst: Nuke confusing postinst message. (closes: #465512)
+  * [SECURITY]: Set DEFAULT_MMAP_MIN_ADDR to 65536 enabling low address space
+    protection from user allocation - /proc/sys/vm/mmap_min_addr tunable.
 
   [ Martin Michlmayr ]
   * [arm/armel] Add a kernel for Orion based devices, such as the QNAP
diff --git a/debian/config/config b/debian/config/config
index 8f0f2c469..3496ad7b6 100644
--- a/debian/config/config
+++ b/debian/config/config
@@ -1872,6 +1872,7 @@ CONFIG_SECURITY=y
 CONFIG_SECURITY_CAPABILITIES=y
 CONFIG_SECURITY_FILE_CAPABILITIES=y
 # CONFIG_SECURITY_ROOTPLUG is not set
+CONFIG_SECURITY_DEFAULT_MMAP_MIN_ADDR=65536
 CONFIG_SECURITY_SELINUX=y
 CONFIG_SECURITY_SELINUX_BOOTPARAM=y
 CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0