diff --git a/kali-config/common/hooks/live/kali-hacks.chroot b/kali-config/common/hooks/live/kali-hacks.chroot
index 09be21d..60d7606 100755
--- a/kali-config/common/hooks/live/kali-hacks.chroot
+++ b/kali-config/common/hooks/live/kali-hacks.chroot
@@ -37,3 +37,10 @@ update-initramfs -u
 if [ -x "$(which updatedb 2>/dev/null)" ]; then
     updatedb
 fi
+
+# Mark kernel related packages on hold so that they are not upgraded in
+# the live system
+for pkg in $(dpkg-query -W -f'${binary:Package}\n' 'linux-image-*' 'linux-headers-*' 'linux-kbuild-*')
+do
+    apt-mark hold $pkg
+done
diff --git a/kali-config/common/includes.installer/usr/lib/live-installer.d/unhold b/kali-config/common/includes.installer/usr/lib/live-installer.d/unhold
new file mode 100755
index 0000000..40e94f7
--- /dev/null
+++ b/kali-config/common/includes.installer/usr/lib/live-installer.d/unhold
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+set -e
+
+# Remove the "hold" mark on any package, in Kali we put kernel packages
+# on hold because upgrading them hurts more than it helps and because
+# we want to ensure they are not removed by a routine dist-upgrade.
+in-target sh -c 'apt-mark showhold | while read pkg; do apt-mark unhold $pkg; done'