diff --git a/roles/privacy/tasks/advanced_privacy.yml b/roles/privacy/tasks/advanced_privacy.yml
index 65b442ad..9e1f0a72 100644
--- a/roles/privacy/tasks/advanced_privacy.yml
+++ b/roles/privacy/tasks/advanced_privacy.yml
@@ -10,9 +10,17 @@
   loop:
     - { name: 'kernel.printk', value: '3 4 1 3' }
     - { name: 'kernel.dmesg_restrict', value: '1' }
-    - { name: 'net.core.bpf_jit_enable', value: '0' }
   when: privacy_advanced.reduce_kernel_verbosity | bool
 
+- name: Disable BPF JIT if available (optional security hardening)
+  sysctl:
+    name: net.core.bpf_jit_enable
+    value: '0'
+    state: present
+    reload: yes
+  when: privacy_advanced.reduce_kernel_verbosity | bool
+  ignore_errors: yes
+
 - name: Configure kernel parameters for privacy
   lineinfile:
     path: /etc/sysctl.d/99-privacy.conf
@@ -23,10 +31,18 @@
     - "# Privacy enhancements - reduce kernel logging"
     - "kernel.printk = 3 4 1 3"
     - "kernel.dmesg_restrict = 1"
-    - "# Disable BPF JIT to reduce attack surface"
-    - "net.core.bpf_jit_enable = 0"
+    - "# Note: net.core.bpf_jit_enable may not be available on all kernels"
   when: privacy_advanced.reduce_kernel_verbosity | bool
 
+- name: Add BPF JIT disable to sysctl config if kernel supports it
+  lineinfile:
+    path: /etc/sysctl.d/99-privacy.conf
+    line: "net.core.bpf_jit_enable = 0  # Disable BPF JIT to reduce attack surface"
+    create: yes
+    mode: '0644'
+  when: privacy_advanced.reduce_kernel_verbosity | bool
+  ignore_errors: yes
+
 - name: Configure journal settings for privacy
   lineinfile:
     path: /etc/systemd/journald.conf