diff --git a/apps/crl2pkcs7.c b/apps/crl2pkcs7.c
index ba24d31d5f..164b9eb640 100644
--- a/apps/crl2pkcs7.c
+++ b/apps/crl2pkcs7.c
@@ -138,7 +138,9 @@ int crl2pkcs7_main(int argc, char **argv)
         if ((crl_stack = sk_X509_CRL_new_null()) == NULL)
             goto end;
         p7s->crl = crl_stack;
-        sk_X509_CRL_push(crl_stack, crl);
+
+        if (!sk_X509_CRL_push(crl_stack, crl))
+            goto end;
         crl = NULL;             /* now part of p7 for OPENSSL_freeing */
     }
 
diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index 3bc6465945..85e5094b9e 100644
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -2515,18 +2515,24 @@ static STACK_OF(X509_CRL) *crls_http_cb(const X509_STORE_CTX *ctx,
     crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, NULL, NULL);
     crl = load_crl_crldp(crldp);
     sk_DIST_POINT_pop_free(crldp, DIST_POINT_free);
-    if (!crl) {
-        sk_X509_CRL_free(crls);
-        return NULL;
-    }
-    sk_X509_CRL_push(crls, crl);
+
+    if (crl == NULL || !sk_X509_CRL_push(crls, crl))
+        goto error;
+
     /* Try to download delta CRL */
     crldp = X509_get_ext_d2i(x, NID_freshest_crl, NULL, NULL);
     crl = load_crl_crldp(crldp);
     sk_DIST_POINT_pop_free(crldp, DIST_POINT_free);
-    if (crl)
-        sk_X509_CRL_push(crls, crl);
+
+    if (crl != NULL && !sk_X509_CRL_push(crls, crl))
+        goto error;
+
     return crls;
+
+error:
+    X509_CRL_free(crl);
+    sk_X509_CRL_free(crls);
+    return NULL;
 }
 
 void store_setup_crl_download(X509_STORE *st)
diff --git a/crypto/cmp/cmp_asn.c b/crypto/cmp/cmp_asn.c
index 4415ede449..13fd6f898d 100644
--- a/crypto/cmp/cmp_asn.c
+++ b/crypto/cmp/cmp_asn.c
@@ -797,9 +797,10 @@ OSSL_CMP_ITAV *OSSL_CMP_ITAV_new_crls(const X509_CRL *crl)
 
     if (crl != NULL) {
         if ((crls = sk_X509_CRL_new_reserve(NULL, 1)) == NULL
-                || (crl_copy = X509_CRL_dup(crl)) == NULL)
+                || (crl_copy = X509_CRL_dup(crl)) == NULL
+                || !sk_X509_CRL_push(crls, crl_copy))
             goto err;
-        (void)sk_X509_CRL_push(crls, crl_copy); /* cannot fail */
+        crl_copy = NULL; /* ownership transferred to crls */
     }
 
     itav->infoType = OBJ_nid2obj(NID_id_it_crls);
@@ -807,6 +808,7 @@ OSSL_CMP_ITAV *OSSL_CMP_ITAV_new_crls(const X509_CRL *crl)
     return itav;
 
  err:
+    OPENSSL_free(crl_copy);
     sk_X509_CRL_free(crls);
     OSSL_CMP_ITAV_free(itav);
     return NULL;
diff --git a/fuzz/x509.c b/fuzz/x509.c
index ce28e80728..b22390f717 100644
--- a/fuzz/x509.c
+++ b/fuzz/x509.c
@@ -98,10 +98,10 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
 
     if (crl != NULL) {
         crls = sk_X509_CRL_new_null();
-        if (crls == NULL)
+        if (crls == NULL
+            || !sk_X509_CRL_push(crls, crl))
             goto err;
 
-        sk_X509_CRL_push(crls, crl);
         X509_STORE_CTX_set0_crls(ctx, crls);
     }