diff --git a/ext/phar/tests/phar-openssl-verify-evp-pkey-leak.phpt b/ext/phar/tests/phar-openssl-verify-evp-pkey-leak.phpt
new file mode 100644
index 000000000000..b1deef09f3b6
--- /dev/null
+++ b/ext/phar/tests/phar-openssl-verify-evp-pkey-leak.phpt
@@ -0,0 +1,34 @@
+--TEST--
+phar: EVP_PKEY freed on EVP_MD_CTX_create/EVP_VerifyInit failure in phar_verify_signature
+--EXTENSIONS--
+phar
+--SKIPIF--
+<?php
+if (!in_array('OpenSSL', Phar::getSupportedSignatures())) {
+    die('skip OpenSSL signature support required');
+}
+?>
+--INI--
+phar.require_hash=1
+phar.readonly=0
+--FILE--
+<?php
+// Exercise phar_verify_signature for all three OpenSSL digest types.
+// Under ASAN, a missing EVP_PKEY_free on the EVP_MD_CTX_create/EVP_VerifyInit
+// failure branch would produce a leak report.
+
+$dir = __DIR__ . '/files/';
+
+$p = new Phar($dir . 'openssl.phar');
+var_dump($p->getSignature()['hash_type']);
+
+$p = new Phar($dir . 'openssl256.phar');
+var_dump($p->getSignature()['hash_type']);
+
+$p = new Phar($dir . 'openssl512.phar');
+var_dump($p->getSignature()['hash_type']);
+?>
+--EXPECT--
+string(7) "OpenSSL"
+string(14) "OpenSSL_SHA256"
+string(14) "OpenSSL_SHA512"
diff --git a/ext/phar/util.c b/ext/phar/util.c
index a1f9863ae3a9..fe177f964443 100644
--- a/ext/phar/util.c
+++ b/ext/phar/util.c
@@ -1640,6 +1640,7 @@ zend_result phar_verify_signature(php_stream *fp, size_t end_of_phar, uint32_t s
 				if (md_ctx) {
 					EVP_MD_CTX_destroy(md_ctx);
 				}
+				EVP_PKEY_free(key);
 				if (error) {
 					spprintf(error, 0, "openssl signature could not be verified");
 				}