diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix
index 5fc22736d7f..24ae1967570 100644
--- a/pkgs/os-specific/linux/kernel/common-config.nix
+++ b/pkgs/os-specific/linux/kernel/common-config.nix
@@ -343,7 +343,7 @@ with stdenv.lib;
 
   # Security related features.
   RANDOMIZE_BASE? y
-  STRICT_DEVMEM y # Filter access to /dev/mem
+  STRICT_DEVMEM? y # Filter access to /dev/mem
   SECURITY_SELINUX_BOOTPARAM_VALUE 0 # Disable SELinux by default
   SECURITY_YAMA? y # Prevent processes from ptracing non-children processes
   DEVKMEM n # Disable /dev/kmem
diff --git a/pkgs/os-specific/linux/kernel/hardened-config.nix b/pkgs/os-specific/linux/kernel/hardened-config.nix
index b7959f9d359..3a82c00c501 100644
--- a/pkgs/os-specific/linux/kernel/hardened-config.nix
+++ b/pkgs/os-specific/linux/kernel/hardened-config.nix
@@ -61,8 +61,8 @@ ${optionalString (versionAtLeast version "4.12") ''
 DEBUG_WX y # boot-time warning on RWX mappings
 
 # Stricter /dev/mem
-STRICT_DEVMEM y
-IO_STRICT_DEVMEM y
+STRICT_DEVMEM? y
+IO_STRICT_DEVMEM? y
 
 # Perform additional validation of commonly targeted structures.
 DEBUG_CREDENTIALS y
diff --git a/pkgs/os-specific/linux/kernel/linux-hardened-copperhead.nix b/pkgs/os-specific/linux/kernel/linux-hardened-copperhead.nix
index 5f4a5d5adb5..1ccc152bb28 100644
--- a/pkgs/os-specific/linux/kernel/linux-hardened-copperhead.nix
+++ b/pkgs/os-specific/linux/kernel/linux-hardened-copperhead.nix
@@ -3,9 +3,9 @@
 with stdenv.lib;
 
 let
-  version = "4.14.12";
+  version = "4.14.13";
   revision = "a";
-  sha256 = "002a3c177fix472wqc89zrpfzwk60l7dn76l869ivgnd60n6wqb2";
+  sha256 = "08fvb1lllb0xkckw2y66g0j5z88kp877r51jj3kksfkvjfibjr0j";
 
   # modVersion needs to be x.y.z, will automatically add .0 if needed
   modVersion = concatStrings (intersperse "." (take 3 (splitString "." "${version}.0")));