diff --git a/CHANGES b/CHANGES
index 06e90008c2..f9c4c318a6 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+4265.	[bug]		Address unchecked isc_mem_get calls. [RT #41187]
+
 4264.	[bug]		Check const of strchr/strrchr assignments match
 			argument's const status. [RT #41150]
 
diff --git a/lib/dns/openssldsa_link.c b/lib/dns/openssldsa_link.c
index d47b265f15..af931db4dd 100644
--- a/lib/dns/openssldsa_link.c
+++ b/lib/dns/openssldsa_link.c
@@ -78,6 +78,8 @@ openssldsa_createctx(dst_key_t *key, dst_context_t *dctx) {
 	UNUSED(key);
 
 	sha1ctx = isc_mem_get(dctx->mctx, sizeof(isc_sha1_t));
+	if (sha1ctx == NULL)
+		return (ISC_R_NOMEMORY);
 	isc_sha1_init(sha1ctx);
 	dctx->ctxdata.sha1ctx = sha1ctx;
 	return (ISC_R_SUCCESS);
diff --git a/lib/dns/rdata.c b/lib/dns/rdata.c
index 107813bbe3..9340b13601 100644
--- a/lib/dns/rdata.c
+++ b/lib/dns/rdata.c
@@ -1784,6 +1784,9 @@ static isc_result_t
 mem_tobuffer(isc_buffer_t *target, void *base, unsigned int length) {
 	isc_region_t tr;
 
+	if (length == 0U)
+		return (ISC_R_SUCCESS);
+
 	isc_buffer_availableregion(target, &tr);
 	if (length > tr.length)
 		return (ISC_R_NOSPACE);
diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c
index a69b4c9bf5..0d204e9db7 100644
--- a/lib/dns/tkey.c
+++ b/lib/dns/tkey.c
@@ -990,7 +990,7 @@ dns_tkey_builddhquery(dns_message_t *msg, dst_key_t *key, dns_name_t *name,
 	if (nonce != NULL)
 		isc_buffer_usedregion(nonce, &r);
 	else {
-		r.base = isc_mem_get(msg->mctx, 0);
+		r.base = NULL;
 		r.length = 0;
 	}
 	tkey.error = 0;
@@ -1001,9 +1001,6 @@ dns_tkey_builddhquery(dns_message_t *msg, dst_key_t *key, dns_name_t *name,
 
 	RETERR(buildquery(msg, name, &tkey, ISC_FALSE));
 
-	if (nonce == NULL)
-		isc_mem_put(msg->mctx, r.base, 0);
-
 	RETERR(dns_message_gettemprdata(msg, &rdata));
 	RETERR(isc_buffer_allocate(msg->mctx, &dynbuf, 1024));
 	RETERR(dst_key_todns(key, dynbuf));
@@ -1234,12 +1231,10 @@ dns_tkey_processdhresponse(dns_message_t *qmsg, dns_message_t *rmsg,
 	if (nonce != NULL)
 		isc_buffer_usedregion(nonce, &r2);
 	else {
-		r2.base = isc_mem_get(rmsg->mctx, 0);
+		r2.base = NULL;
 		r2.length = 0;
 	}
 	RETERR(compute_secret(shared, &r2, &r, &secret));
-	if (nonce == NULL)
-		isc_mem_put(rmsg->mctx, r2.base, 0);
 
 	isc_buffer_usedregion(&secret, &r);
 	result = dns_tsigkey_create(tkeyname, &rtkey.algorithm,
diff --git a/lib/isc/md5.c b/lib/isc/md5.c
index a83febabca..ed23400d53 100644
--- a/lib/isc/md5.c
+++ b/lib/isc/md5.c
@@ -62,6 +62,8 @@ isc_md5_invalidate(isc_md5_t *ctx) {
 
 void
 isc_md5_update(isc_md5_t *ctx, const unsigned char *buf, unsigned int len) {
+	if (len == 0U)
+		return;
 	RUNTIME_CHECK(EVP_DigestUpdate(ctx,
 				       (const void *) buf,
 				       (size_t) len) == 1);