diff --git a/common/bolt11.c b/common/bolt11.c
index 93414330f226..164d7283df74 100644
--- a/common/bolt11.c
+++ b/common/bolt11.c
@@ -917,6 +917,8 @@ struct bolt11 *bolt11_decode_nosig(const tal_t *ctx, const char *str,
 	return b11;
 }
 
+static bool valid_recovery_id(u8 recid) { return recid <= 3; }
+
 /* Decodes and checks signature; returns NULL on error. */
 struct bolt11 *bolt11_decode(const tal_t *ctx, const char *str,
 			     const struct feature_set *our_features,
@@ -957,6 +959,10 @@ struct bolt11 *bolt11_decode(const tal_t *ctx, const char *str,
 
 	assert(data_len == 0);
 
+	if (!valid_recovery_id(sig_and_recid[64]))
+		return decode_fail(b11, fail, "invalid recovery ID: %u",
+				   sig_and_recid[64]);
+
 	if (!secp256k1_ecdsa_recoverable_signature_parse_compact
 	    (secp256k1_ctx, &sig, sig_and_recid, sig_and_recid[64]))
 		return decode_fail(b11, fail, "signature invalid");
diff --git a/tests/fuzz/corpora/fuzz-bolt11-decode/crash-90ba6bcd63aa79a19b2df3d58a4fa0c4193614f0 b/tests/fuzz/corpora/fuzz-bolt11-decode/crash-90ba6bcd63aa79a19b2df3d58a4fa0c4193614f0
new file mode 100644
index 000000000000..cbebfa5a47a2
--- /dev/null
+++ b/tests/fuzz/corpora/fuzz-bolt11-decode/crash-90ba6bcd63aa79a19b2df3d58a4fa0c4193614f0
@@ -0,0 +1 @@
+lntltc1UZZZZQQDQQpp5pppppppppppppppppZZZZZZZZZZZZQQQQQQQQQQQQQQQQQQQQQQQQQQQQQAQQQQQQQQQQQQQQQQZZZZZZZZZZZZZZZZZZZZZZZppppppppppppppppppppppppppppppppppppZZZZZZZZZZZZZZZZZZZZZZZZtltc
\ No newline at end of file