diff --git a/CHANGES b/CHANGES
index 655694c8d1..626c497404 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+6403.	[security]	qctx-zversion was not being cleared when it should have
+			been leading to an assertion failure if it needed to be
+			reused. (CVE-2024-4076) [GL #4507]
+
 6402.	[security]	Remove SIG(0) support from named as a countermeasure
 			for CVE-2024-1975. [GL #4480]
 
diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index fbd682b01b..5aeb796621 100644
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -39,6 +39,10 @@ Security Fixes
   Support for SIG(0) message validation was removed from this version of
   :iscman:`named`. :cve:`2024-1975` :gl:`#4480`
 
+- Due to a logic error, lookups that trigger serving stale data and require
+  lookups in local authoritative zone data may result in an assertion failure.
+  This has been fixed. :cve:`2024-4076` :gl:`#4507`
+
 - Named could trigger an assertion failure when looking up the NS
   records of parent zones as part of looking up DS records.  This
   has been fixed. :gl:`#4661`
diff --git a/lib/ns/query.c b/lib/ns/query.c
index 37b0d0ab0d..132a151bed 100644
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -5325,6 +5325,7 @@ qctx_freedata(query_ctx_t *qctx) {
 		ns_client_releasename(qctx->client, &qctx->zfname);
 		dns_db_detachnode(qctx->zdb, &qctx->znode);
 		dns_db_detach(&qctx->zdb);
+		qctx->zversion = NULL;
 	}
 
 	if (qctx->event != NULL && !qctx->client->nodetach) {