diff --git a/src/acl/external/kerberos_ldap_group/support_sasl.cc b/src/acl/external/kerberos_ldap_group/support_sasl.cc
index 6c0ced6deb2..7a0beced207 100644
--- a/src/acl/external/kerberos_ldap_group/support_sasl.cc
+++ b/src/acl/external/kerberos_ldap_group/support_sasl.cc
@@ -202,16 +202,16 @@ void
 lutil_sasl_freedefs(
     void *defaults)
 {
-    lutilSASLdefaults *defs = (lutilSASLdefaults *) defaults;
-
-    xfree(defs->mech);
-    xfree(defs->realm);
-    xfree(defs->authcid);
-    xfree(defs->passwd);
-    xfree(defs->authzid);
-    xfree(defs->resps);
-
-    xfree(defs);
+    if (const auto defs = static_cast<lutilSASLdefaults*>(defaults)) {
+        xfree(defs->mech);
+        xfree(defs->realm);
+        xfree(defs->authcid);
+        xfree(defs->passwd);
+        xfree(defs->authzid);
+        xfree(defs->resps);
+
+        xfree(defs);
+    }
 }
 
 int
diff --git a/src/auth/negotiate/kerberos/negotiate_kerberos_pac.cc b/src/auth/negotiate/kerberos/negotiate_kerberos_pac.cc
index f5dff1d75dc..5e2f99002b1 100644
--- a/src/auth/negotiate/kerberos/negotiate_kerberos_pac.cc
+++ b/src/auth/negotiate/kerberos/negotiate_kerberos_pac.cc
@@ -202,6 +202,12 @@ getdomaingids(char *ad_groups, uint32_t DomainLogonId, char **Rids, uint32_t Gro
         return nullptr;
     }
 
+    if (!Rids) {
+        debug((char *) "%s| %s: ERR: Invalid RIDS list\n",
+              LogTime(), PROGRAM);
+        return nullptr;
+    }
+
     if (DomainLogonId!= 0) {
         uint8_t rev;
         uint64_t idauth;