diff --git a/CHANGES b/CHANGES
index bb30262b79..eae6157271 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+5017.	[bug]		lib/isc/pk11.c failed to unlink the session before
+			releasing the lock which is unsafe. [GL !589]
+
 5016.	[bug]		Named could assert with overlapping filter-aaaa and
 			dns64 acls. [GL #445]
 
diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c
index cfc5e52074..f3835b6641 100644
--- a/lib/isc/pk11.c
+++ b/lib/isc/pk11.c
@@ -401,6 +401,7 @@ free_session_list(pk11_sessionlist_t *slist) {
 	LOCK(&sessionlock);
 	while (!ISC_LIST_EMPTY(*slist)) {
 		sp = ISC_LIST_HEAD(*slist);
+		ISC_LIST_UNLINK(*slist, sp, link);
 		UNLOCK(&sessionlock);
 		if (sp->session != CK_INVALID_HANDLE) {
 			rv = pkcs_C_CloseSession(sp->session);
@@ -408,7 +409,6 @@ free_session_list(pk11_sessionlist_t *slist) {
 				ret = DST_R_CRYPTOFAILURE;
 		}
 		LOCK(&sessionlock);
-		ISC_LIST_UNLINK(*slist, sp, link);
 		pk11_mem_put(sp, sizeof(*sp));
 	}
 	UNLOCK(&sessionlock);