diff --git a/sys/kern/imgact_elf.c b/sys/kern/imgact_elf.c
--- a/sys/kern/imgact_elf.c
+++ b/sys/kern/imgact_elf.c
@@ -162,19 +162,43 @@
     "");
 #define	ASLR_NODE_OID	__CONCAT(__CONCAT(_kern_elf, __ELF_WORD_SIZE), _aslr)
 
+/*
+ * While for 64 bit machines ASLR is working properly, there are
+ * still some problems when using 32 bit architectures. For this
+ * reason ASLR is only enabled by default when running native
+ * 64 bit programs.
+ */
+#if __ELF_WORD_SIZE == 64
+static int __elfN(aslr_enabled) = 1;
+#else
 static int __elfN(aslr_enabled) = 0;
+#endif
 SYSCTL_INT(ASLR_NODE_OID, OID_AUTO, enable, CTLFLAG_RWTUN,
     &__elfN(aslr_enabled), 0,
     __XSTRING(__CONCAT(ELF, __ELF_WORD_SIZE))
     ": enable address map randomization");
 
+#if __ELF_WORD_SIZE == 64
+static int __elfN(pie_aslr_enabled) = 1;
+#else
 static int __elfN(pie_aslr_enabled) = 0;
+#endif
 SYSCTL_INT(ASLR_NODE_OID, OID_AUTO, pie_enable, CTLFLAG_RWTUN,
     &__elfN(pie_aslr_enabled), 0,
     __XSTRING(__CONCAT(ELF, __ELF_WORD_SIZE))
     ": enable address map randomization for PIE binaries");
 
+/*
+ * With this disabled the bss grow region can also be used for ASLR.
+ *
+ * Sbrk is now deprecated and it can be assumed, that in most
+ * cases it will not be used anyway.
+ */
+#if __ELF_WORD_SIZE == 64
+static int __elfN(aslr_honor_sbrk) = 0;
+#else
 static int __elfN(aslr_honor_sbrk) = 1;
+#endif
 SYSCTL_INT(ASLR_NODE_OID, OID_AUTO, honor_sbrk, CTLFLAG_RW,
     &__elfN(aslr_honor_sbrk), 0,
     __XSTRING(__CONCAT(ELF, __ELF_WORD_SIZE)) ": assume sbrk is used");