diff --git a/pkgs/os-specific/linux/kernel/hardened-config.nix b/pkgs/os-specific/linux/kernel/hardened-config.nix
index bff15b05fd94..2482641c9f02 100644
--- a/pkgs/os-specific/linux/kernel/hardened-config.nix
+++ b/pkgs/os-specific/linux/kernel/hardened-config.nix
@@ -15,6 +15,10 @@ assert (versionAtLeast version "4.9");
 ''
 GCC_PLUGINS y # Enable gcc plugin options
 
+${optionalString (versionAtLeast version "4.11") ''
+  GCC_PLUGIN_STRUCTLEAK y # A port of the PaX structleak plugin
+''}
+
 DEBUG_WX y # A one-time check for W+X mappings at boot; doesn't do anything beyond printing a warning
 
 ${optionalString (versionAtLeast version "4.10") ''