diff --git a/docker/Dockerfile b/docker/Dockerfile
index 4ab4f56..53b2ab8 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -24,6 +24,16 @@ ARG nb_user=jovyan
 ARG nb_uid=1000
 ARG nb_gid=100
 
+# Apply OS-level security patches declared in apt-security.txt.
+# Each line is <package>=<version>. Comments and blank lines are ignored.
+# To add a new CVE mitigation: edit docker/apt-security.txt and rebuild.
+COPY apt-security.txt /conf/apt-security.txt
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+RUN packages=$(grep -v '^\s*#' /conf/apt-security.txt | grep -v '^\s*$' | tr '\n' ' ') \
+    && apt-get update && apt-get install -y --no-install-recommends $packages \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+
 RUN useradd -l -m -s /bin/bash -N -g $nb_gid -u $nb_uid $nb_user
 
 COPY --chown=$nb_uid:$nb_gid --from=sandbox-conda /env /env
diff --git a/docker/apt-security.txt b/docker/apt-security.txt
new file mode 100644
index 0000000..91acdf4
--- /dev/null
+++ b/docker/apt-security.txt
@@ -0,0 +1,16 @@
+# OS-level security patches applied at image build time.
+# Format: <package>=<version>  (exact apt version string)
+# To find the available version: apt-cache policy <package>
+#
+# When a new CVE mitigation is needed:
+#   1. Add or update the package=version line below
+#   2. Rebuild the image via the normal build and release workflow
+#   3. Document the CVE in the comment above the line
+#
+# When a CVE is resolved in a newer base image (ubuntu:jammy-*), the line
+# can be removed here once the base image tag is bumped past the fix.
+
+# CVE-2026-31431 (Copy Fail) — local privilege escalation via algif_aead kernel module.
+# Fixed in kmod >= 29-1ubuntu1.1. Host kernel must also be patched separately.
+# Ref: https://ubuntu.com/blog/copy-fail-vulnerability-fixes-available
+kmod=29-1ubuntu1.1