diff --git a/NEWS b/NEWS
index bee1a3506e74..24e54516b94d 100644
--- a/NEWS
+++ b/NEWS
@@ -7,6 +7,9 @@ Uppercase BUG_* IDs are shell bug IDs as used by the Modernish shell library.
 - [v1.1] The emacs ^Y command now accepts a numeric parameter. For example,
   ESC 10 ^Y will now "yank" (paste) the latest deleted text 10 times.
 
+- Fixed a crash that could occur in some scenarios when /opt/ast/bin
+  builtins handled invalid options in virtual subshells.
+
 2024-12-25:
 
 - The dirname path-bound built-in now accepts multiple operands.
diff --git a/src/cmd/ksh93/sh/init.c b/src/cmd/ksh93/sh/init.c
index eeeb4973d096..73ed16c7d065 100644
--- a/src/cmd/ksh93/sh/init.c
+++ b/src/cmd/ksh93/sh/init.c
@@ -245,7 +245,11 @@ void *sh_realloc(void *ptr, size_t size)
 	void *cp;
 	cp = realloc(ptr, size);
 	if(!cp)
+	{
+		if(ptr)
+			free(ptr);
 		nomemory(size);
+	}
 	return cp;
 }
 
diff --git a/src/lib/libast/port/astconf.c b/src/lib/libast/port/astconf.c
index 4f0f98cef38a..21d5fd83dd0c 100644
--- a/src/lib/libast/port/astconf.c
+++ b/src/lib/libast/port/astconf.c
@@ -306,6 +306,7 @@ synthesize(Feature_t* fp, const char* path, const char* value)
 	char*		d;
 	char*		v;
 	char*		p;
+	int		docpy;
 	int		n;
 
 #if DEBUG_astconf
@@ -458,14 +459,26 @@ synthesize(Feature_t* fp, const char* path, const char* value)
 		fp->value = 0;
 	if (n == 1 && (*value == '0' || *value == '-'))
 		n = 0;
-	if (!(fp->value = newof(fp->value, char, n, 1)))
-		fp->value = null;
+	docpy = fp->value != value;
+	if (!fp->value && !(fp->value = calloc(1, n + 1)))
+	{
+		error(ERROR_SYSTEM|ERROR_PANIC,"out of memory");
+		UNREACHABLE();
+	}
 	else
 	{
-		fp->flags |= CONF_ALLOC;
-		memcpy(fp->value, value, n);
-		fp->value[n] = 0;
+		char *tofree = fp->value;
+		if (!(fp->value = realloc(fp->value, n + 1)))
+		{
+			free(tofree);
+			error(ERROR_SYSTEM|ERROR_PANIC,"out of memory");
+			UNREACHABLE();
+		}
 	}
+	fp->flags |= CONF_ALLOC;
+	if(docpy)
+		memcpy(fp->value, value, n);
+	fp->value[n] = 0;
 	return fp->value;
 }