# This is security-sensitive code, and glibc vulns happen from time to time.
  # musl is security-focused and generally more minimal, so it's a better choice here.
  # The dynamic linker is still a fairly complex piece of code, and the wrappers are
  # quite small, so linking it statically is more appropriate.

Versions 0.9.13 through 1.2.5 are affected by CVE-2025-26519, an input-controlled out-of-bounds memory write primitive in iconv when the input encoding is EUC-KR and the output encoding is UTF-8, which could potentially be used as a vector to achieve arbitrary code execution. All users of software which may use iconv should patch (1, 2).

        > aarch64-unknown-linux-musl-ar rc lib/libc.a obj/src/aio/aio.lo obj/src/aio/aio_suspend.lo obj/src/aio/lio_listio.lo obj/src/complex/__cexp.lo obj/src/complex/__cexpf.lo obj/src/complex/cab…
┃        > aarch64-unknown-linux-musl-gcc -std=c99 -nostdinc -ffreestanding -fexcess-precision=standard -frounding-math -fno-strict-aliasing -Wa,--noexecstack -D_XOPEN_SOURCE=700 -I./arch/aarch64 -I.…
┃        > -Wl,-e,_dlstart -o lib/libc.so obj/src/aio/aio.lo obj/src/aio/aio_suspend.lo obj/src/aio/lio_listio.lo obj/src/complex/__cexp.lo obj/src/complex/__cexpf.lo obj/src/complex/cabs.lo obj/src/…
┃        > aarch64-unknown-linux-musl-ranlib lib/libc.a
┃        > collect2: fatal error: cannot find 'ld'