I think one should simply hold the last known good kernel:
sudo apt-mark hold linux-image-$(uname -r)
That command puts the currently running kernel on hold, so it is important to boot the last good one first.
Once the regression has been fixed, just run the opposite:
sudo apt-mark unhold linux-image-$(uname -r)
One should also make sure that booting the known-good kernel automatically makes it the default, to prevent future reboots from selecting the latest kernel, which is the distro default.
sudo mkdir -p /etc/default/grub.d
sudo tee /etc/default/grub.d/zz-save_default.cfg >/dev/null <<EOF
GRUB_DEFAULT=saved
GRUB_SAVEDEFAULT=true
EOF
sudo update-grub
This carries the risk of accidentally booting the old potentially vulnerable kernel long after the regression has been fixed, so one should keep a close eye on upgrades and test them. Once the issue is gone, the above config drop-in should be removed or disabled:
sudo mv /etc/default/grub.d/zz-save_default.cfg{,.disabled}
sudo update-grub