diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2a17141a..a30ce498 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -11,6 +11,7 @@ The **patch** part changes incrementally at each release.
 ## [Unreleased]
 
 ### Added
+* evolinux-base: On debian 10 and later, add noexec on /dev/shm
 
 ### Changed
 * elasticsearch: listen on local interface only by default
diff --git a/evolinux-base/defaults/main.yml b/evolinux-base/defaults/main.yml
index 88ea931d..134e99f5 100644
--- a/evolinux-base/defaults/main.yml
+++ b/evolinux-base/defaults/main.yml
@@ -67,6 +67,8 @@ evolinux_fstab_home: True
 evolinux_fstab_home_options: defaults,noexec,nosuid,nodev
 evolinux_fstab_var_tmp: True
 evolinux_fstab_var_tmp_options: defaults,noexec,nosuid,nodev,size=1024m
+evolinux_fstab_dev_shm: True
+evolinux_fstab_dev_shm_options: defaults,nodev,nosuid,noexec
 
 # packages
 
diff --git a/evolinux-base/tasks/fstab.yml b/evolinux-base/tasks/fstab.yml
index 9baa8a70..fa9eaf9f 100644
--- a/evolinux-base/tasks/fstab.yml
+++ b/evolinux-base/tasks/fstab.yml
@@ -57,4 +57,15 @@
   when:
   - evolinux_fstab_var_tmp
 
+- name: /dev/shm is created (Debian 10 and later)
+  mount:
+    src: tmpfs
+    name: /dev/shm
+    fstype: tmpfs
+    opts: "{{ evolinux_fstab_dev_shm_options | mandatory }}"
+    state: mounted
+  when:
+  - evolinux_fstab_dev_shm
+  - ansible_distribution_major_version | version_compare('10', '>=')
+
 - meta: flush_handlers