There's stack corruption in qsort if it's called on giant arrays.
"The number of elements must exceed about seven million, i.e., the 32nd Leonardo number on 32-bit platforms (or the 64th Leonardo number on 64-bit platforms, which is not practical)."
https://nvd.nist.gov/vuln/detail/CVE-2026-40200
It's pretty easy to patch, but there's a PR to update musl to 1.2.6. Given how big the array needs to be, we might want to wait for that merge to patch this CVE.
Patch:
https://www.openwall.com/lists/musl/2026/04/10/3/1
There's stack corruption in qsort if it's called on giant arrays.
"The number of elements must exceed about seven million, i.e., the 32nd Leonardo number on 32-bit platforms (or the 64th Leonardo number on 64-bit platforms, which is not practical)."
https://nvd.nist.gov/vuln/detail/CVE-2026-40200
It's pretty easy to patch, but there's a PR to update musl to 1.2.6. Given how big the array needs to be, we might want to wait for that merge to patch this CVE.
Patch:
https://www.openwall.com/lists/musl/2026/04/10/3/1