diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
index afe498b1a4f4c7..d22c9a9d9c103e 100644
--- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
@@ -431,23 +431,23 @@ static CURLcode nss_load_cert(struct ssl_connect_data *ssl,
 }
 
 /* add given CRL to cache if it is not already there */
-static SECStatus nss_cache_crl(SECItem *crlDER)
+static CURLcode nss_cache_crl(SECItem *crl_der)
 {
   CERTCertDBHandle *db = CERT_GetDefaultCertDB();
-  CERTSignedCrl *crl = SEC_FindCrlByDERCert(db, crlDER, 0);
+  CERTSignedCrl *crl = SEC_FindCrlByDERCert(db, crl_der, 0);
   if(crl) {
     /* CRL already cached */
     SEC_DestroyCrl(crl);
-    SECITEM_FreeItem(crlDER, PR_FALSE);
+    SECITEM_FreeItem(crl_der, PR_TRUE);
     return CURLE_SSL_CRL_BADFILE;
   }
 
   /* acquire lock before call of CERT_CacheCRL() */
   PR_Lock(nss_crllock);
-  if(SECSuccess != CERT_CacheCRL(db, crlDER)) {
+  if(SECSuccess != CERT_CacheCRL(db, crl_der)) {
     /* unable to cache CRL */
     PR_Unlock(nss_crllock);
-    SECITEM_FreeItem(crlDER, PR_FALSE);
+    SECITEM_FreeItem(crl_der, PR_TRUE);
     return CURLE_SSL_CRL_BADFILE;
   }
 
@@ -462,7 +462,7 @@ static CURLcode nss_load_crl(const char* crlfilename)
   PRFileDesc *infile;
   PRFileInfo  info;
   SECItem filedata = { 0, NULL, 0 };
-  SECItem crlDER = { 0, NULL, 0 };
+  SECItem *crl_der = NULL;
   char *body;
 
   infile = PR_Open(crlfilename, PR_RDONLY, 0);
@@ -478,6 +478,10 @@ static CURLcode nss_load_crl(const char* crlfilename)
   if(info.size != PR_Read(infile, filedata.data, info.size))
     goto fail;
 
+  crl_der = SECITEM_AllocItem(NULL, NULL, 0U);
+  if(!crl_der)
+    goto fail;
+
   /* place a trailing zero right after the visible data */
   body = (char*)filedata.data;
   body[--filedata.len] = '\0';
@@ -498,20 +502,21 @@ static CURLcode nss_load_crl(const char* crlfilename)
 
     /* retrieve DER from ASCII */
     *trailer = '\0';
-    if(ATOB_ConvertAsciiToItem(&crlDER, begin))
+    if(ATOB_ConvertAsciiToItem(crl_der, begin))
       goto fail;
 
     SECITEM_FreeItem(&filedata, PR_FALSE);
   }
   else
     /* assume DER */
-    crlDER = filedata;
+    *crl_der = filedata;
 
   PR_Close(infile);
-  return nss_cache_crl(&crlDER);
+  return nss_cache_crl(crl_der);
 
 fail:
   PR_Close(infile);
+  SECITEM_FreeItem(crl_der, PR_TRUE);
   SECITEM_FreeItem(&filedata, PR_FALSE);
   return CURLE_SSL_CRL_BADFILE;
 }