diff --git a/CHANGES b/CHANGES
index 692ed6e742..94794987ed 100644
--- a/CHANGES
+++ b/CHANGES
@@ -23,7 +23,11 @@
 			Replace it by isc_task_send() when we are shutting
 			down. [GL !6275]
 
-5886.	[placeholder]
+	--- 9.19.1 released ---
+
+5886.	[security]	Fix a crash in DNS-over-HTTPS (DoH) code caused by
+			premature TLS stream socket object deletion.
+			(CVE-2022-1183) [GL #3216]
 
 5885.	[bug]		RPZ NSIP and NSDNAME rule processing didn't handle stub
 			and static-stub zones at or above the query name.  This
diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst
index 5673978a16..ede9b5a995 100644
--- a/doc/arm/notes.rst
+++ b/doc/arm/notes.rst
@@ -37,6 +37,7 @@ https://www.isc.org/download/. There you will find additional
 information about each release, and source code.
 
 .. include:: ../notes/notes-current.rst
+.. include:: ../notes/notes-9.19.1.rst
 .. include:: ../notes/notes-9.19.0.rst
 
 .. _relnotes_license:
diff --git a/doc/notes/notes-9.19.1.rst b/doc/notes/notes-9.19.1.rst
new file mode 100644
index 0000000000..30ab7cf0fb
--- /dev/null
+++ b/doc/notes/notes-9.19.1.rst
@@ -0,0 +1,65 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.19.1
+---------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- Previously, TLS socket objects could be destroyed prematurely, which
+  triggered assertion failures in :iscman:`named` instances serving
+  DNS-over-HTTPS (DoH) clients. This has been fixed.
+
+  ISC would like to thank Thomas Amgarten from arcade solutions ag for
+  bringing this vulnerability to our attention. (CVE-2022-1183)
+  :gl:`#3216`
+
+New Features
+~~~~~~~~~~~~
+
+- Catalog Zones schema version 2, as described in the
+  "DNS Catalog Zones" IETF draft version 5 document, is now supported by
+  :iscman:`named`. All of the previously supported BIND-specific catalog
+  zone custom properties (``primaries``, ``allow-query``, and
+  ``allow-transfer``), as well as the new Change of Ownership (``coo``)
+  property, are now implemented. Schema version 1 is still supported,
+  with some additional validation rules applied from schema version 2:
+  for example, the ``version`` property is mandatory, and a member zone
+  PTR RRset must not contain more than one record. In the event of a
+  validation error, a corresponding error message is logged to help with
+  diagnosing the problem. :gl:`#3221` :gl:`#3222` :gl:`#3223`
+  :gl:`#3224` :gl:`#3225`
+
+- Support DNS Extended Errors (:rfc:`8914`) ``Stale Answer`` and
+  ``Stale NXDOMAIN Answer`` when stale answers are returned from cache.
+  :gl:`#2267`
+
+- The Object Identifier (OID) embedded at the start of a PRIVATEOID
+  public key in a KEY, DNSKEY, CDNSKEY, or RKEY resource records is now
+  checked to ensure that it is valid when reading from zone files or
+  receiving data on the wire. The Object Identifier is now printed when
+  the ``dig +rrcomments`` option is used. Similarly, the name embedded
+  at the start of a PRIVATEDNS public key is also checked for validity.
+  :gl:`#3234`
+
+- The Object Identifier (OID) embedded at the start of a PRIVATEOID
+  signature in a SIG, or RRSIG resource records is now checked to
+  ensure that it is valid when reading from zone files or receiving
+  data on the wire.  Similarly, the name embedded at the start of
+  a PRIVATEDNS public key is also checked for validity. :gl:`#3296`
+
+Bug Fixes
+~~~~~~~~~
+
+- Previously, CDS and CDNSKEY DELETE records were removed from the zone
+  when configured with the ``auto-dnssec maintain;`` option. This has
+  been fixed. :gl:`#2931`
diff --git a/lib/isc/netmgr/netmgr-int.h b/lib/isc/netmgr/netmgr-int.h
index 162c3b06e6..93af22635f 100644
--- a/lib/isc/netmgr/netmgr-int.h
+++ b/lib/isc/netmgr/netmgr-int.h
@@ -964,6 +964,7 @@ struct isc_nmsocket {
 						    worker */
 		size_t n_listener_tls_ctx;
 		isc_nmsocket_t *tlslistener;
+		isc_nmsocket_t *tlssocket;
 		atomic_bool result_updated;
 		enum {
 			TLS_INIT,
diff --git a/lib/isc/netmgr/tlsstream.c b/lib/isc/netmgr/tlsstream.c
index 2734bae7ae..e725159471 100644
--- a/lib/isc/netmgr/tlsstream.c
+++ b/lib/isc/netmgr/tlsstream.c
@@ -213,7 +213,6 @@ tls_failed_read_cb(isc_nmsocket_t *sock, const isc_result_t result) {
 
 	if (destroy) {
 		isc__nmsocket_prep_destroy(sock);
-		isc__nmsocket_detach(&sock);
 	}
 }
 
@@ -415,21 +414,7 @@ tls_do_bio(isc_nmsocket_t *sock, isc_region_t *received_data,
 				send_data->cb.send(send_data->handle, result,
 						   send_data->cbarg);
 				send_data = NULL;
-				/* This situation might occur only when SSL
-				 * shutdown was already sent (see
-				 * tls_send_outgoing()), and we are in the
-				 * process of shutting down the connection (in
-				 * this case tls_senddone() will be called), but
-				 * some code tries to send data over the
-				 * connection and called isc_tls_send(). The
-				 * socket will be detached there, in
-				 * tls_senddone().*/
-				if (sent_shutdown || received_shutdown) {
-					return;
-				} else {
-					isc__nmsocket_detach(&sock);
-					return;
-				}
+				return;
 			}
 		}
 
@@ -632,6 +617,12 @@ tlslisten_acceptcb(isc_nmhandle_t *handle, isc_result_t result, void *cbarg) {
 	tlssock->read_timeout = atomic_load(&handle->sock->mgr->init);
 	tlssock->tid = tid;
 
+	/*
+	 * Hold a reference to tlssock in the TCP socket: it will
+	 * detached in isc__nm_tls_cleanup_data().
+	 */
+	handle->sock->tlsstream.tlssocket = tlssock;
+
 	result = initialize_tls(tlssock, true);
 	RUNTIME_CHECK(result == ISC_R_SUCCESS);
 	/* TODO: catch failure code, detach tlssock, and log the error */
@@ -829,7 +820,7 @@ tls_close_direct(isc_nmsocket_t *sock) {
 		isc__nmsocket_detach(&sock->listener);
 	}
 
-	/* further cleanup performed in isc__nm_tls_cleanup_data() */
+	/* Further cleanup performed in isc__nm_tls_cleanup_data() */
 	atomic_store(&sock->closed, true);
 	atomic_store(&sock->active, false);
 	sock->tlsstream.state = TLS_CLOSED;
@@ -952,6 +943,12 @@ tcp_connected(isc_nmhandle_t *handle, isc_result_t result, void *cbarg) {
 	isc_nmhandle_attach(handle, &tlssock->outerhandle);
 	atomic_store(&tlssock->active, true);
 
+	/*
+	 * Hold a reference to tlssock in the TCP socket: it will
+	 * detached in isc__nm_tls_cleanup_data().
+	 */
+	handle->sock->tlsstream.tlssocket = tlssock;
+
 	tls_do_bio(tlssock, NULL, NULL, false);
 	return;
 error:
@@ -1019,8 +1016,9 @@ void
 isc__nm_tls_cleanup_data(isc_nmsocket_t *sock) {
 	if (sock->type == isc_nm_tcplistener &&
 	    sock->tlsstream.tlslistener != NULL) {
-		REQUIRE(VALID_NMSOCK(sock->tlsstream.tlslistener));
 		isc__nmsocket_detach(&sock->tlsstream.tlslistener);
+	} else if (sock->type == isc_nm_tlslistener) {
+		tls_cleanup_listener_tlsctx(sock);
 	} else if (sock->type == isc_nm_tlssocket) {
 		if (sock->tlsstream.ctx != NULL) {
 			isc_tlsctx_free(&sock->tlsstream.ctx);
@@ -1031,8 +1029,13 @@ isc__nm_tls_cleanup_data(isc_nmsocket_t *sock) {
 			sock->tlsstream.bio_out = NULL;
 			sock->tlsstream.bio_in = NULL;
 		}
-	} else if (sock->type == isc_nm_tlslistener) {
-		tls_cleanup_listener_tlsctx(sock);
+	} else if (sock->type == isc_nm_tcpsocket &&
+		   sock->tlsstream.tlssocket != NULL) {
+		/*
+		 * The TLS socket can't be destroyed until its underlying TCP
+		 * socket is, to avoid possible use-after-free errors.
+		 */
+		isc__nmsocket_detach(&sock->tlsstream.tlssocket);
 	}
 }