diff --git a/sm/ChangeLog b/sm/ChangeLog
index feef043ef..928611eb8 100644
--- a/sm/ChangeLog
+++ b/sm/ChangeLog
@@ -1,3 +1,9 @@
+2004-10-08  Moritz Schulte  <moritz@g10code.com>
+
+	* certchain.c (gpgsm_validate_chain): Do not use keydb_new() in
+	case the no_chain_validation-return-short-cut is used (fixes
+	memory leak).
+
 2004-10-04  Werner Koch  <wk@g10code.com>
 
 	* misc.c (setup_pinentry_env): Try hard to set a default for GPG_TTY.
diff --git a/sm/certchain.c b/sm/certchain.c
index ad30a36e1..c51327e0d 100644
--- a/sm/certchain.c
+++ b/sm/certchain.c
@@ -534,7 +534,7 @@ gpgsm_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t r_exptime,
   int rc = 0, depth = 0, maxdepth;
   char *issuer = NULL;
   char *subject = NULL;
-  KEYDB_HANDLE kh = keydb_new (0);
+  KEYDB_HANDLE kh = NULL;
   ksba_cert_t subject_cert = NULL, issuer_cert = NULL;
   ksba_isotime_t current_time;
   ksba_isotime_t exptime;
@@ -555,7 +555,8 @@ gpgsm_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t r_exptime,
       log_info ("WARNING: bypassing certificate chain validation\n");
       return 0;
     }
-  
+
+  kh = keydb_new (0);
   if (!kh)
     {
       log_error (_("failed to allocated keyDB handle\n"));