diff --git a/share/man/man7/mitigations.7 b/man/man7/mitigations.7
--- a/share/man/man7/mitigations.7
+++ b/man/man7/mitigations.7
@@ -28,7 +28,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd July 23, 2024
+.Dd January 24, 2025
 .Dt MITIGATIONS 7
 .Os
 .Sh NAME
@@ -317,6 +317,15 @@
 This effectively provides finer-grained protection than SSP for some class of
 function and system calls, along with some protection for buffers allocated as
 part of the program data.
+.Pp
+Additionally building with
+.Dq FORTIFY_SOURCE
+considers a trailing array as a flexible array only if declared as [], [0], or [1],
+instead of assuming that every trailing array is a flexible array.
+This enables additional bounds checks at runtime for the above mentioned
+functions and cases,
+and performs some additional build-time checks which abort the compilation when
+an out-of-bounds access is detected.
 .\"
 .Ss Supervisor mode memory protection
 Certain processors include features that prevent unintended access to memory
diff --git a/share/mk/bsd.sys.mk b/mk/bsd.sys.mk
--- a/share/mk/bsd.sys.mk
+++ b/mk/bsd.sys.mk
@@ -308,8 +308,11 @@
 CFLAGS+=	${SSP_CFLAGS}
 .endif # SSP
 .if ${FORTIFY_SOURCE} > 0
-CFLAGS+=	-D_FORTIFY_SOURCE=${FORTIFY_SOURCE}
-CXXFLAGS+=	-D_FORTIFY_SOURCE=${FORTIFY_SOURCE}
+# Ideally we want -fstrict-flex-arrays=3, but even =2 shows issues.
+# Code should be converted to use C99 "array[]" instead of GCC "array[0]"
+# or non-standard "array[1]" to be able to switch to =3.
+CFLAGS+=	-D_FORTIFY_SOURCE=${FORTIFY_SOURCE} -fstrict-flex-arrays=1
+CXXFLAGS+=	-D_FORTIFY_SOURCE=${FORTIFY_SOURCE} -D_GLIBCXX_ASSERTIONS -fstrict-flex-arrays=1
 .endif
 
 # Additional flags passed in CFLAGS and CXXFLAGS when MK_DEBUG_FILES is