diff --git a/CHANGES b/CHANGES
index 9bd4f51e7e..662106db0f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+6350.	[bug]		Address use after free in expire_lru_headers. [GL #4495]
+
 	--- 9.18.24 released ---
 
 6343.	[bug]		Fix case insensitive setting for isc_ht hashtable.
diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index 53088528e7..16e6a84f35 100644
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -35,7 +35,12 @@ Feature Changes
 Bug Fixes
 ~~~~~~~~~
 
-- None.
+- A use-after-free assertion might get triggered when the overmem cache
+  cleaning triggers. :gl:`#4595`
+
+  ISC would like to thank to Jinmei Tatuya from Infoblox for bringing
+  this issue to our attention.
+
 
 Known Issues
 ~~~~~~~~~~~~
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index b09d97ff64..b9e58a42b3 100644
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -10213,22 +10213,21 @@ update_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, isc_stdtime_t now) {
 static size_t
 expire_lru_headers(dns_rbtdb_t *rbtdb, unsigned int locknum, size_t purgesize,
 		   bool tree_locked) {
-	rdatasetheader_t *header, *header_prev;
+	rdatasetheader_t *header;
 	size_t purged = 0;
 
 	for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]);
 	     header != NULL &&
 	     header->last_used <= atomic_load(&rbtdb->last_used) &&
 	     purged <= purgesize;
-	     header = header_prev)
+	     header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]))
 	{
-		header_prev = ISC_LIST_PREV(header, link);
 		/*
 		 * Unlink the entry at this point to avoid checking it
 		 * again even if it's currently used someone else and
 		 * cannot be purged at this moment.  This entry won't be
 		 * referenced any more (so unlinking is safe) since the
-		 * TTL was reset to 0.
+		 * TTL will be reset to 0.
 		 */
 		ISC_LIST_UNLINK(rbtdb->rdatasets[locknum], header, link);
 		size_t header_size = rdataset_size(header);