diff --git a/src/pcrlock/pcrlock.c b/src/pcrlock/pcrlock.c
index 0469fc943f..dc48bc57e5 100644
--- a/src/pcrlock/pcrlock.c
+++ b/src/pcrlock/pcrlock.c
@@ -1120,7 +1120,16 @@ static int event_log_load_userspace(EventLog *el) {
                         continue;
                 }
 
-                b[bn] = 0;
+                if (!GREEDY_REALLOC(b, bn + 1))
+                        return log_oom();
+
+                b[bn] = 0; /* Turn it into a string */
+
+                if (memchr(b, 0, bn)) {
+                        log_warning("Found record with embedded NUL byte, skipping.");
+                        continue;
+                }
+
                 r = json_parse(b, 0, &j, NULL, NULL);
                 if (r < 0)
                         return log_error_errno(r, "Failed to parse local TPM measurement log file: %m");
diff --git a/test/units/testsuite-70.pcrlock.sh b/test/units/testsuite-70.pcrlock.sh
index 415bfa8ff4..46060c1dc3 100755
--- a/test/units/testsuite-70.pcrlock.sh
+++ b/test/units/testsuite-70.pcrlock.sh
@@ -41,6 +41,15 @@ PCRS="1+2+3+4+5+16"
 # (as the PCR values simply won't match the log).
 rm -f /run/log/systemd/tpm2-measure.log
 
+# Ensure a truncated log doesn't crash pcrlock
+echo -n -e \\x1e >/tmp/borked
+set +e
+SYSTEMD_MEASURE_LOG_USERSPACE=/tmp/borked "$SD_PCRLOCK" cel --no-pager --json=pretty
+ret=$?
+set -e
+# If it crashes the exit code will be 149
+test $ret -eq 1
+
 SYSTEMD_COLORS=256 "$SD_PCRLOCK"
 "$SD_PCRLOCK" cel --no-pager --json=pretty
 "$SD_PCRLOCK" log --pcr="$PCRS"