diff --git a/.github/workflows/vulnerabilities.yml b/.github/workflows/vulnerabilities.yml
new file mode 100644
index 00000000000..7b5d2c38925
--- /dev/null
+++ b/.github/workflows/vulnerabilities.yml
@@ -0,0 +1,70 @@
+name: vulnerabilities
+
+on:
+  push:
+    tags:
+      - 'v*'
+  pull_request:
+    types: [opened, synchronize]
+
+jobs:
+
+  valgrind:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Install valgrind
+      run: |
+        sudo apt-get install valgrind
+
+    - name: Run cargo-valgrind
+      run: |
+        CARGO_TARGET_X86_64_UNKNOWN_LINUX_GNU_RUNNER="valgrind --error-exitcode=1" cargo test
+
+  careful:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Install Rust nightly
+      uses: dtolnay/rust-toolchain@nightly
+      with:
+        toolchain: nightly
+        components: rust-src
+
+    - name: Install cargo-careful
+      env:
+        CAREFUL_LINK: https://github.com/RalfJung/cargo-careful/releases/download
+        CAREFUL_VERSION: 0.4.0
+      run: |
+        curl -L "$CAREFUL_LINK/v$CAREFUL_VERSION/cargo-careful.x86_64-unknown-linux-musl" \
+        --output $HOME/.cargo/bin/cargo-careful
+        chmod +x $HOME/.cargo/bin/cargo-careful
+
+    - name: Run cargo-careful
+      run: |
+        cargo +nightly careful test
+
+  address-sanitizer:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Install Rust nightly
+      uses: dtolnay/rust-toolchain@nightly
+      with:
+        toolchain: nightly
+        components: rust-src
+
+    - name: Run AddressSanitizer
+      env:
+        RUSTFLAGS: -Zsanitizer=address -Zsanitizer=thread -Copt-level=3
+        RUSTDOCFLAGS: -Zsanitizer=address -Zsanitizer=thread
+      run: cargo test -Zbuild-std --target x86_64-unknown-linux-gnu