diff --git a/CHANGES b/CHANGES
index 6102b871ac..642f06e901 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+4102.	[bug]		Fix a use after free bug introduced in change
+			#4094.  [RT #39281]
+
 4101.	[bug]		dig: the +split option didn't work with +short.
 			[RT #39291]
 
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 8e1817f336..2ec1c32d01 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -807,6 +807,7 @@ resquery_destroy(resquery_t **queryp) {
 	isc_boolean_t empty;
 	resquery_t *query;
 	fetchctx_t *fctx;
+	unsigned int bucket;
 
 	REQUIRE(queryp != NULL);
 	query = *queryp;
@@ -816,12 +817,13 @@ resquery_destroy(resquery_t **queryp) {
 
 	fctx = query->fctx;
 	res = fctx->res;
+	bucket = fctx->bucketnum;
 
 	fctx->nqueries--;
 
-	LOCK(&res->buckets[fctx->bucketnum].lock);
+	LOCK(&res->buckets[bucket].lock);
 	empty = fctx_decreference(query->fctx);
-	UNLOCK(&res->buckets[fctx->bucketnum].lock);
+	UNLOCK(&res->buckets[bucket].lock);
 
 	query->magic = 0;
 	isc_mem_put(query->mctx, query, sizeof(*query));