diff --git a/src/exec.c b/src/exec.c
index f8856b426..72e1046b2 100644
--- a/src/exec.c
+++ b/src/exec.c
@@ -533,7 +533,7 @@ free_exec_closure(struct exec_closure *ec)
     debug_decl(free_exec_closure, SUDO_DEBUG_EXEC);
 
     /* Free any remaining intercept resources. */
-    intercept_cleanup();
+    intercept_cleanup(ec);
 
     sudo_ev_base_free(ec->evbase);
     sudo_ev_free(ec->backchannel_event);
diff --git a/src/exec_intercept.c b/src/exec_intercept.c
index 445c43671..7bb7a6e53 100644
--- a/src/exec_intercept.c
+++ b/src/exec_intercept.c
@@ -199,13 +199,19 @@ intercept_connection_close(struct intercept_closure *closure)
 }
 
 void
-intercept_cleanup(void)
+intercept_cleanup(struct exec_closure *ec)
 {
     debug_decl(intercept_cleanup, SUDO_DEBUG_EXEC);
 
     if (accept_closure != NULL) {
+	/* DSO-based intercept. */
 	intercept_connection_close(accept_closure);
 	accept_closure = NULL;
+    } else if (ec->intercept != NULL) {
+	/* ptrace-based intercept. */
+	intercept_closure_reset(ec->intercept);
+	free(ec->intercept);
+	ec->intercept = NULL;
     }
 
     debug_return;
diff --git a/src/sudo_exec.h b/src/sudo_exec.h
index f56b3c6c5..dc12c9fee 100644
--- a/src/sudo_exec.h
+++ b/src/sudo_exec.h
@@ -186,7 +186,7 @@ char **enable_monitor(char *envp[], const char *dso);
 
 /* exec_intercept.c */
 void *intercept_setup(int fd, struct sudo_event_base *evbase, struct command_details *details);
-void intercept_cleanup(void);
+void intercept_cleanup(struct exec_closure *ec);
 
 /* exec_iolog.c */
 bool log_ttyin(const char *buf, unsigned int n, struct io_buffer *iob);