diff --git a/common-session.c b/common-session.c
index a225b2162582200a90fe1d23c772e6f50a25c8b2..971955afbe8a78faccfaf3f574e2b4cb5ee947fa 100644
--- a/common-session.c
+++ b/common-session.c
@@ -260,13 +260,16 @@ void session_cleanup() {
 		return;
 	}
 
+	/* Beware of changing order of functions here. */
+
+	/* Must be before extra_session_cleanup() */
+	chancleanup();
+
 	if (ses.extra_session_cleanup) {
 		ses.extra_session_cleanup();
 	}
 
-	chancleanup();
-
-	/* Most dropbear functions are unsafe to run after this point */
+	/* After these are freed most functions will exit */
 #ifdef DROPBEAR_CLEANUP
 	/* listeners call cleanup functions, this should occur before
 	other session state is freed. */
@@ -289,6 +292,12 @@ void session_cleanup() {
 	cleanup_buf(&ses.payload);
 	cleanup_buf(&ses.readbuf);
 	cleanup_buf(&ses.writepayload);
+	cleanup_buf(&ses.kexhashbuf);
+	cleanup_buf(&ses.transkexinit);
+	if (ses.dh_K) {
+		mp_clear(ses.dh_K);
+	}
+	m_free(ses.dh_K);
 
 	m_burn(ses.keys, sizeof(struct key_context));
 	m_free(ses.keys);
diff --git a/svr-session.c b/svr-session.c
index 2b8a9560c8ab6aa16c7c2a258280196ef3810e4a..8485905c33d1c75894fe7de90afd5dcac8ef9821 100644
--- a/svr-session.c
+++ b/svr-session.c
@@ -83,8 +83,9 @@ svr_session_cleanup(void) {
 	svr_pubkey_options_cleanup();
 
 	m_free(svr_ses.addrstring);
-	m_free(svr_ses.childpids);
 	m_free(svr_ses.remotehost);
+	m_free(svr_ses.childpids);
+	svr_ses.childpidsize = 0;
 }
 
 static void