diff --git a/lib/libcrypto/cms/cms_pwri.c b/lib/libcrypto/cms/cms_pwri.c
index d282d1d42f7..36a53568d10 100644
--- a/lib/libcrypto/cms/cms_pwri.c
+++ b/lib/libcrypto/cms/cms_pwri.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms_pwri.c,v 1.36 2026/06/09 12:12:34 tb Exp $ */
+/* $OpenBSD: cms_pwri.c,v 1.37 2026/06/09 12:20:34 tb Exp $ */
 /*
  * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
@@ -232,6 +232,10 @@ kek_unwrap_key(unsigned char *out, size_t *outlen, const unsigned char *in,
 	unsigned char *tmp;
 	int outl, rv = 0;
 
+	/* Ensure inlen is large enough that tmp[6] is in bounds. */
+	if (blocklen < 4)
+		return 0;
+
 	if (inlen < 2 * blocklen) {
 		/* too small */
 		return 0;