diff --git a/ChangeLog b/ChangeLog
index fd7a3f5b6..12c541cde 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -37,6 +37,9 @@ Bugfix
      cause buffer bound checks to be bypassed. Found by Eyal Itkin.
    * Fixed potential arithmetic overflow in mbedtls_base64_decode() that could
      cause buffer bound checks to be bypassed. Found by Eyal Itkin.
+   * Fix potential memory leak in x509_crl_parse(). The leak was caused by
+     missing calls to pem_free() in cases when a
+     POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT error was encountered.
 
 = mbed TLS 1.3.18 branch 2016-10-17
 
diff --git a/library/x509_crl.c b/library/x509_crl.c
index 0d92bb131..b2b0bed6e 100644
--- a/library/x509_crl.c
+++ b/library/x509_crl.c
@@ -520,16 +520,17 @@ int x509_crl_parse( x509_crl *chain, const unsigned char *buf, size_t buflen )
             if( ( ret = x509_crl_parse_der( chain,
                                             pem.buf, pem.buflen ) ) != 0 )
             {
+                pem_free( &pem );
                 return( ret );
             }
-
-            pem_free( &pem );
         }
         else if( is_pem )
         {
             pem_free( &pem );
             return( ret );
         }
+
+        pem_free( &pem );
     }
     while( is_pem && buflen > 0 );