diff --git a/Misc/NEWS.d/next/Library/2026-03-02-19-41-39.gh-issue-145376.OOzSOh.rst b/Misc/NEWS.d/next/Library/2026-03-02-19-41-39.gh-issue-145376.OOzSOh.rst
new file mode 100644
index 00000000000000..b6dbda0427181d
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2026-03-02-19-41-39.gh-issue-145376.OOzSOh.rst
@@ -0,0 +1,2 @@
+Fix double free and null pointer dereference in unusual error scenarios
+in :mod:`hashlib` and :mod:`hmac` modules.
diff --git a/Modules/hmacmodule.c b/Modules/hmacmodule.c
index bc711b51accd87..8a0b3496b1afa1 100644
--- a/Modules/hmacmodule.c
+++ b/Modules/hmacmodule.c
@@ -1529,7 +1529,6 @@ static void
 py_hmac_hinfo_ht_free(void *hinfo)
 {
     py_hmac_hinfo *entry = (py_hmac_hinfo *)hinfo;
-    assert(entry->display_name != NULL);
     if (--(entry->refcnt) == 0) {
         Py_CLEAR(entry->display_name);
         PyMem_Free(hinfo);
@@ -1628,7 +1627,8 @@ py_hmac_hinfo_ht_new(void)
             e->hashlib_name == NULL ? e->name : e->hashlib_name
         );
         if (value->display_name == NULL) {
-            PyMem_Free(value);
+            /* 'value' is owned by the table (refcnt > 0),
+               so _Py_hashtable_destroy() will free it. */
             goto error;
         }
     }
diff --git a/Modules/md5module.c b/Modules/md5module.c
index 9b5ea2d6e02605..f3855ec3f37faa 100644
--- a/Modules/md5module.c
+++ b/Modules/md5module.c
@@ -87,7 +87,10 @@ static void
 MD5_dealloc(PyObject *op)
 {
     MD5object *ptr = _MD5object_CAST(op);
-    Hacl_Hash_MD5_free(ptr->hash_state);
+    if (ptr->hash_state != NULL) {
+        Hacl_Hash_MD5_free(ptr->hash_state);
+        ptr->hash_state = NULL;
+    }
     PyTypeObject *tp = Py_TYPE(op);
     PyObject_GC_UnTrack(ptr);
     PyObject_GC_Del(ptr);