diff --git a/core/base/Dockerfile b/core/base/Dockerfile
index d5be6a90..242fd060 100644
--- a/core/base/Dockerfile
+++ b/core/base/Dockerfile
@@ -12,7 +12,8 @@ ARG MAILU_GID=1000
 RUN set -euxo pipefail \
   ; addgroup -Sg ${MAILU_GID} mailu \
   ; adduser -Sg ${MAILU_UID} -G mailu -h /app -g "mailu app" -s /bin/bash mailu \
-  ; apk add --no-cache bash ca-certificates curl python3 tzdata
+  ; apk add --no-cache bash ca-certificates curl python3 tzdata \
+  ; apk add --repository=http://dl-cdn.alpinelinux.org/alpine/edge/testing hardened-malloc
 
 WORKDIR /app
 
diff --git a/towncrier/newsfragments/2525.feature b/towncrier/newsfragments/2525.feature
new file mode 100644
index 00000000..634733c7
--- /dev/null
+++ b/towncrier/newsfragments/2525.feature
@@ -0,0 +1 @@
+Switch to GrapheneOS's hardened_malloc