diff --git a/crypto/mem.c b/crypto/mem.c
index 032f2a9cd1..c6cdfb36e1 100644
--- a/crypto/mem.c
+++ b/crypto/mem.c
@@ -38,7 +38,8 @@ static TSAN_QUALIFIER int free_count;
 #  define LOAD(x)      tsan_load(&x)
 # endif /* TSAN_REQUIRES_LOCKING */
 
-static char *md_failstring;
+static char md_failbuf[CRYPTO_MEM_CHECK_MAX_FS + 1];
+static char *md_failstring = NULL;
 static long md_count;
 static int md_fail_percent = 0;
 static int md_tracefd = -1;
@@ -164,9 +165,17 @@ static int shouldfail(void)
 void ossl_malloc_setup_failures(void)
 {
     const char *cp = getenv("OPENSSL_MALLOC_FAILURES");
+    size_t cplen = 0;
 
-    if (cp != NULL && (md_failstring = strdup(cp)) != NULL)
-        parseit();
+    if (cp != NULL) {
+        /* if the value is too long we'll just ignore it */
+        cplen = strlen(cp);
+        if (cplen <= CRYPTO_MEM_CHECK_MAX_FS) {
+            strncpy(md_failbuf, cp, CRYPTO_MEM_CHECK_MAX_FS);
+            md_failstring = md_failbuf;
+            parseit();
+        }
+    }
     if ((cp = getenv("OPENSSL_MALLOC_FD")) != NULL)
         md_tracefd = atoi(cp);
     if ((cp = getenv("OPENSSL_MALLOC_SEED")) != NULL)
diff --git a/doc/man3/OPENSSL_malloc.pod b/doc/man3/OPENSSL_malloc.pod
index 06bb192609..fccf3bd788 100644
--- a/doc/man3/OPENSSL_malloc.pod
+++ b/doc/man3/OPENSSL_malloc.pod
@@ -171,7 +171,8 @@ It is a set of fields separated by semicolons, which each field is a count
 to 100).  If the count is zero, then it lasts forever.  For example,
 C<100;@25> or C<100@0;0@25> means the first 100 allocations pass, then all
 other allocations (until the program exits or crashes) have a 25% chance of
-failing.
+failing. The length of the value of B<OPENSSL_MALLOC_FAILURES> must be 256 or
+fewer characters.
 
 If the variable B<OPENSSL_MALLOC_FD> is parsed as a positive integer, then
 it is taken as an open file descriptor. This is used in conjunction with
diff --git a/include/openssl/crypto.h.in b/include/openssl/crypto.h.in
index 101719ab5b..e0ace5e5a0 100644
--- a/include/openssl/crypto.h.in
+++ b/include/openssl/crypto.h.in
@@ -368,6 +368,9 @@ void OPENSSL_cleanse(void *ptr, size_t len);
 # define CRYPTO_MEM_CHECK_ENABLE  0x2   /* Control and mode bit */
 # define CRYPTO_MEM_CHECK_DISABLE 0x3   /* Control only */
 
+/* max allowed length for value of OPENSSL_MALLOC_FAILURES env var. */
+#  define CRYPTO_MEM_CHECK_MAX_FS 256
+
 void CRYPTO_get_alloc_counts(int *mcount, int *rcount, int *fcount);
 #  ifndef OPENSSL_NO_DEPRECATED_3_0
 #    define OPENSSL_mem_debug_push(info) \