diff --git a/ssh-pkcs11-client.c b/ssh-pkcs11-client.c
index 85afb62ac..e58292628 100644
--- a/ssh-pkcs11-client.c
+++ b/ssh-pkcs11-client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-pkcs11-client.c,v 1.24 2025/07/30 10:17:13 dtucker Exp $ */
+/* $OpenBSD: ssh-pkcs11-client.c,v 1.25 2025/10/31 01:50:43 djm Exp $ */
 /*
  * Copyright (c) 2010 Markus Friedl.  All rights reserved.
  * Copyright (c) 2014 Pedro Martelletto. All rights reserved.
@@ -355,6 +355,7 @@ pkcs11_start_helper(const char *path)
 		}
 		close(pair[0]);
 		close(pair[1]);
+		closefrom(STDERR_FILENO + 1);
 		prog = getenv("SSH_PKCS11_HELPER");
 		if (prog == NULL || strlen(prog) == 0)
 			prog = _PATH_SSH_PKCS11_HELPER;
diff --git a/ssh-pkcs11-helper.c b/ssh-pkcs11-helper.c
index aeb5b7a8a..838610d96 100644
--- a/ssh-pkcs11-helper.c
+++ b/ssh-pkcs11-helper.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-pkcs11-helper.c,v 1.29 2025/07/30 04:27:42 djm Exp $ */
+/* $OpenBSD: ssh-pkcs11-helper.c,v 1.30 2025/10/31 01:50:43 djm Exp $ */
 /*
  * Copyright (c) 2010 Markus Friedl.  All rights reserved.
  *
@@ -222,6 +222,8 @@ main(int argc, char **argv)
 	__progname = ssh_get_progname(argv[0]);
 	seed_rng();
 
+	sanitise_stdfd();
+	closefrom(STDERR_FILENO + 1);
 	log_init(__progname, log_level, log_facility, log_stderr);
 
 	while ((ch = getopt(argc, argv, "v")) != -1) {