diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf
index c9b4c092a..832ad3d1c 100644
--- a/config/etc/sysctl.conf
+++ b/config/etc/sysctl.conf
@@ -39,6 +39,10 @@ net.bridge.bridge-nf-call-ip6tables = 0
 net.bridge.bridge-nf-call-iptables = 0
 net.bridge.bridge-nf-call-arptables = 0
 
+# Restrict loading TTY line disciplines to CAP_SYS_MODULE to prevent unprivileged attackers
+# from loading vulnerable line disciplines with the TIOCSETD ioctl.
+dev.tty.ldisc_autoload = 0
+
 # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc).
 kernel.kptr_restrict = 2