diff --git a/CHANGES b/CHANGES
index 0febf12fd4..b182db0706 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+4170.	[security]	An incorrect boundary check in the OPENPGPKEY
+			rdatatype could trigger an assertion failure.
+			[RT #40286]
+
 4169.	[test]		Added a 'wire_test -d' option to read input as
 			raw binary data, for use as a fuzzing harness.
 			[RT #40312]
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index 1f6ca5b857..7d7a62080e 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -38,6 +38,12 @@
   <sect2 id="relnotes_security">
     <title>Security Fixes</title>
     <itemizedlist>
+      <listitem>
+	<para>
+	  An incorrect boundary check in the OPENPGPKEY rdatatype
+	  could trigger an assertion failure. [RT #40286]
+	</para>
+      </listitem>
       <listitem>
 	<para>
 	  A buffer accounting error could trigger an assertion failure
diff --git a/lib/dns/rdata.c b/lib/dns/rdata.c
index a91667d1c5..034a5f2245 100644
--- a/lib/dns/rdata.c
+++ b/lib/dns/rdata.c
@@ -1268,7 +1268,7 @@ txt_fromwire(isc_buffer_t *source, isc_buffer_t *target) {
 
 	isc_buffer_activeregion(source, &sregion);
 	if (sregion.length == 0)
-		return(ISC_R_UNEXPECTEDEND);
+		return (ISC_R_UNEXPECTEDEND);
 	n = *sregion.base + 1;
 	if (n > sregion.length)
 		return (ISC_R_UNEXPECTEDEND);
diff --git a/lib/dns/rdata/generic/openpgpkey_61.c b/lib/dns/rdata/generic/openpgpkey_61.c
index 684f37b6f7..99342a250f 100644
--- a/lib/dns/rdata/generic/openpgpkey_61.c
+++ b/lib/dns/rdata/generic/openpgpkey_61.c
@@ -81,6 +81,8 @@ fromwire_openpgpkey(ARGS_FROMWIRE) {
 	 * Keyring.
 	 */
 	isc_buffer_activeregion(source, &sr);
+	if (sr.length < 1)
+		return (ISC_R_UNEXPECTEDEND);
 	isc_buffer_forward(source, sr.length);
 	return (mem_tobuffer(target, sr.base, sr.length));
 }