diff --git a/criu/arch/x86/include/asm/kerndat.h b/criu/arch/x86/include/asm/kerndat.h
index 903bc80f7..5c3717230 100644
--- a/criu/arch/x86/include/asm/kerndat.h
+++ b/criu/arch/x86/include/asm/kerndat.h
@@ -4,5 +4,6 @@
 extern int kdat_compatible_cr(void);
 extern int kdat_can_map_vdso(void);
 extern int kdat_x86_has_ptrace_fpu_xsave_bug(void);
+extern int kdat_has_shstk(void);
 
 #endif /* __CR_ASM_KERNDAT_H__ */
diff --git a/criu/arch/x86/kerndat.c b/criu/arch/x86/kerndat.c
index a98797d39..3a58bbea7 100644
--- a/criu/arch/x86/kerndat.c
+++ b/criu/arch/x86/kerndat.c
@@ -17,6 +17,7 @@
 
 #include "asm/compat.h"
 #include "asm/dump.h"
+#include "asm/shstk.h"
 
 int kdat_can_map_vdso(void)
 {
@@ -251,3 +252,29 @@ out_kill:
 
 	return ret;
 }
+
+/*
+ * Unlike most kerndat knobs, this does not check for availability of the
+ * shadow stack in the kernel, but rather checks if criu runs with shadow
+ * stack enabled.
+ *
+ * This depends on hardware availability, kernel and glibc support, compiler
+ * options and glibc tunables.
+ */
+int kdat_has_shstk(void)
+{
+	unsigned long features;
+
+	if (!compel_cpu_has_feature(X86_FEATURE_SHSTK))
+		return 0;
+
+	if (syscall(__NR_arch_prctl, ARCH_SHSTK_STATUS, &features)) {
+		/* kernels that don't support shadow stack return -EINVAL */
+		if (errno == EINVAL)
+			return 0;
+		pr_perror("Cannot get shadow stack status");
+		return 1;
+	}
+
+	return !!(features & ARCH_SHSTK_SHSTK);
+}
diff --git a/criu/include/kerndat.h b/criu/include/kerndat.h
index 91dbd494b..41524ed66 100644
--- a/criu/include/kerndat.h
+++ b/criu/include/kerndat.h
@@ -87,6 +87,7 @@ struct kerndat_s {
 	bool has_ipv6_freebind;
 	bool has_membarrier_get_registrations;
 	bool has_pagemap_scan;
+	bool has_shstk;
 };
 
 extern struct kerndat_s kdat;
diff --git a/criu/kerndat.c b/criu/kerndat.c
index e3b378a9c..6f4fea46b 100644
--- a/criu/kerndat.c
+++ b/criu/kerndat.c
@@ -1151,6 +1151,24 @@ static int kerndat_has_openat2(void)
 	return 0;
 }
 
+int __attribute__((weak)) kdat_has_shstk(void)
+{
+	return 0;
+}
+
+static int kerndat_has_shstk(void)
+{
+	int ret = kdat_has_shstk();
+
+	if (ret < 0) {
+		pr_err("kdat_has_shstk failed\n");
+		return ret;
+	}
+
+	kdat.has_shstk = !!ret;
+	return 0;
+}
+
 #define KERNDAT_CACHE_NAME "criu.kdat"
 #define KERNDAT_CACHE_FILE KDAT_RUNDIR "/" KERNDAT_CACHE_NAME
 
@@ -1705,6 +1723,12 @@ int kerndat_try_load_new(void)
 		return ret;
 	}
 
+	ret = kerndat_has_shstk();
+	if (ret < 0) {
+		pr_err("kerndat_has_shstk failed when initializing kerndat.\n");
+		return ret;
+	}
+
 	/* New information is found, we need to save to the cache */
 	if (ret)
 		kerndat_save_cache();
@@ -1926,6 +1950,10 @@ int kerndat_init(void)
 		pr_err("kerndat_has_membarrier_get_registrations failed when initializing kerndat.\n");
 		ret = -1;
 	}
+	if (!ret && kerndat_has_shstk()) {
+		pr_err("kerndat_has_shstk failed when initializing kerndat.\n");
+		ret = -1;
+	}
 
 	kerndat_lsm();
 	kerndat_mmap_min_addr();