diff --git a/Base/usr/share/man/man2/pledge.md b/Base/usr/share/man/man2/pledge.md
index 8558f464ed..ca6adda653 100644
--- a/Base/usr/share/man/man2/pledge.md
+++ b/Base/usr/share/man/man2/pledge.md
@@ -53,6 +53,7 @@ If the process later attempts to use any system functionality it has previously
 * `sendfd`: Send file descriptors over a local socket
 * `recvfd`: Receive file descriptors over a local socket
 * `ptrace`: The [`ptrace(2)`](ptrace.md) syscall (\*)
+* `prot_exec`: [`mmap(2)`](mmap.md) and [`mprotect(2)`](mprotect.md) with `PROT_EXEC` (\*)
 
 Promises marked with an asterisk (\*) are SerenityOS specific extensions not supported by the original OpenBSD `pledge()`.
 
diff --git a/Kernel/Process.h b/Kernel/Process.h
index 612bd6317d..373abe8090 100644
--- a/Kernel/Process.h
+++ b/Kernel/Process.h
@@ -81,7 +81,8 @@ extern VirtualAddress g_return_to_ring3_from_signal_trampoline;
     __ENUMERATE_PLEDGE_PROMISE(accept)    \
     __ENUMERATE_PLEDGE_PROMISE(settime)   \
     __ENUMERATE_PLEDGE_PROMISE(sigaction) \
-    __ENUMERATE_PLEDGE_PROMISE(setkeymap)
+    __ENUMERATE_PLEDGE_PROMISE(setkeymap) \
+    __ENUMERATE_PLEDGE_PROMISE(prot_exec)
 
 enum class Pledge : u32 {
 #define __ENUMERATE_PLEDGE_PROMISE(x) x,
diff --git a/Kernel/Syscalls/mmap.cpp b/Kernel/Syscalls/mmap.cpp
index 8a95d38e4b..6233e3ba43 100644
--- a/Kernel/Syscalls/mmap.cpp
+++ b/Kernel/Syscalls/mmap.cpp
@@ -163,6 +163,10 @@ void* Process::sys$mmap(Userspace<const Syscall::SC_mmap_params*> user_params)
     int fd = params.fd;
     int offset = params.offset;
 
+    if (prot & PROT_EXEC) {
+        REQUIRE_PROMISE(prot_exec);
+    }
+
     if (alignment & ~PAGE_MASK)
         return (void*)-EINVAL;
 
@@ -274,6 +278,10 @@ int Process::sys$mprotect(void* addr, size_t size, int prot)
 {
     REQUIRE_PROMISE(stdio);
 
+    if (prot & PROT_EXEC) {
+        REQUIRE_PROMISE(prot_exec);
+    }
+
     if (!size)
         return -EINVAL;