diff --git a/nixos/doc/manual/release-notes/rl-2411.section.md b/nixos/doc/manual/release-notes/rl-2411.section.md
index f50ac2e908e2..3185137f971f 100644
--- a/nixos/doc/manual/release-notes/rl-2411.section.md
+++ b/nixos/doc/manual/release-notes/rl-2411.section.md
@@ -265,6 +265,8 @@
 
 - The `stackclashprotection` hardening flag has been added, though disabled by default.
 
+- The `pacret` hardening flag has been added, though disabled by default.
+
 - `cargoSha256` in `rustPlatform.buildRustPackage` has been deprecated in favor
   of `cargoHash` which supports SRI hashes. See
   [buildRustPackage: Compiling Rust applications with Cargo](https://nixos.org/manual/nixpkgs/unstable/#compiling-rust-applications-with-cargo)
diff --git a/pkgs/build-support/cc-wrapper/add-hardening.sh b/pkgs/build-support/cc-wrapper/add-hardening.sh
index fc457ed0134a..4440d99ccaba 100644
--- a/pkgs/build-support/cc-wrapper/add-hardening.sh
+++ b/pkgs/build-support/cc-wrapper/add-hardening.sh
@@ -32,7 +32,7 @@ if [[ -n "${hardeningEnableMap[fortify3]-}" ]]; then
 fi
 
 if (( "${NIX_DEBUG:-0}" >= 1 )); then
-  declare -a allHardeningFlags=(fortify fortify3 shadowstack stackprotector stackclashprotection pie pic strictoverflow format trivialautovarinit zerocallusedregs)
+  declare -a allHardeningFlags=(fortify fortify3 shadowstack stackprotector stackclashprotection pacret pie pic strictoverflow format trivialautovarinit zerocallusedregs)
   declare -A hardeningDisableMap=()
 
   # Determine which flags were effectively disabled so we can report below.
@@ -79,6 +79,10 @@ for flag in "${!hardeningEnableMap[@]}"; do
       if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling shadowstack >&2; fi
       hardeningCFlagsBefore+=('-fcf-protection=return')
       ;;
+    pacret)
+      if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling pacret >&2; fi
+      hardeningCFlagsBefore+=('-mbranch-protection=pac-ret')
+      ;;
     stackprotector)
       if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling stackprotector >&2; fi
       hardeningCFlagsBefore+=('-fstack-protector-strong' '--param' 'ssp-buffer-size=4')
diff --git a/pkgs/development/compilers/gcc/default.nix b/pkgs/development/compilers/gcc/default.nix
index 53d0bf1159f3..fb9e97b15a9a 100644
--- a/pkgs/development/compilers/gcc/default.nix
+++ b/pkgs/development/compilers/gcc/default.nix
@@ -437,6 +437,7 @@ pipe ((callFile ./common/builder.nix {}) ({
         && targetPlatform.isx86_64
         && targetPlatform.libc == "glibc"
       )) "shadowstack"
+      ++ optional (!(atLeast9 && targetPlatform.isLinux && targetPlatform.isAarch64)) "pacret"
       ++ optionals (langFortran) [ "fortify" "format" ];
   };
 
diff --git a/pkgs/development/compilers/llvm/common/clang/default.nix b/pkgs/development/compilers/llvm/common/clang/default.nix
index 862c5cbb1178..659d29d1c564 100644
--- a/pkgs/development/compilers/llvm/common/clang/default.nix
+++ b/pkgs/development/compilers/llvm/common/clang/default.nix
@@ -143,6 +143,11 @@ let
           || !targetPlatform.isLinux
           || !targetPlatform.isx86_64
         ) "shadowstack"
+        ++ lib.optional (
+          (lib.versionOlder release_version "8")
+          || !targetPlatform.isAarch64
+          || !targetPlatform.isLinux
+        ) "pacret"
         ++ lib.optional (
           (lib.versionOlder release_version "11")
           || (targetPlatform.isAarch64 && (lib.versionOlder release_version "18.1"))
diff --git a/pkgs/stdenv/generic/make-derivation.nix b/pkgs/stdenv/generic/make-derivation.nix
index bda0060900dd..7da4f4ac8740 100644
--- a/pkgs/stdenv/generic/make-derivation.nix
+++ b/pkgs/stdenv/generic/make-derivation.nix
@@ -116,6 +116,7 @@ let
     "fortify"
     "fortify3"
     "shadowstack"
+    "pacret"
     "pic"
     "pie"
     "relro"
diff --git a/pkgs/stdenv/linux/bootstrap-tools/default.nix b/pkgs/stdenv/linux/bootstrap-tools/default.nix
index 3b69f7c53194..6064f7693834 100644
--- a/pkgs/stdenv/linux/bootstrap-tools/default.nix
+++ b/pkgs/stdenv/linux/bootstrap-tools/default.nix
@@ -18,6 +18,7 @@ derivation ({
   hardeningUnsupportedFlags = [
     "fortify3"
     "shadowstack"
+    "pacret"
     "stackclashprotection"
     "trivialautovarinit"
     "zerocallusedregs"
diff --git a/pkgs/top-level/stage.nix b/pkgs/top-level/stage.nix
index 363f5fd0de14..b19559dd7f1f 100644
--- a/pkgs/top-level/stage.nix
+++ b/pkgs/top-level/stage.nix
@@ -323,6 +323,7 @@ let
           stdenv = super'.withDefaultHardeningFlags (
             super'.stdenv.cc.defaultHardeningFlags ++ [
               "shadowstack"
+              "pacret"
               "stackclashprotection"
               "trivialautovarinit"
             ]