diff --git a/CHANGES b/CHANGES
index 2cbbaefda7..416db95499 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,11 @@
+6.0.0-dev.286 | 2023-03-30 09:52:26 -0700
+
+  * Consider cap len when forwarding into packet analysis. (Jan Grashoefer, Corelight)
+
+    When forwarding into packet analysis from TCP or UDP, the protocol's
+    length fields were trusted. This might be dangerous in case of truncated
+    packets.
+
 6.0.0-dev.284 | 2023-03-30 09:50:57 -0700
 
   * Reintroduce info when overriding packet analyzer mappings. (Jan Grashoefer, Corelight)
diff --git a/VERSION b/VERSION
index 8360ee8f24..08f8b86011 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-6.0.0-dev.284
+6.0.0-dev.286
diff --git a/src/packet_analysis/Analyzer.h b/src/packet_analysis/Analyzer.h
index d698022e80..90f83d10fa 100644
--- a/src/packet_analysis/Analyzer.h
+++ b/src/packet_analysis/Analyzer.h
@@ -237,8 +237,9 @@ protected:
 	 * Triggers analysis of the encapsulated packet. The encapsulated protocol
 	 * is determined using the given identifier.
 	 *
+	 * @param len The length of the data left to analyze.
+	 * @param data Pointer to the payload in the raw packet left to analyze.
 	 * @param packet The packet to analyze.
-	 * @param data Reference to the payload pointer into the raw packet.
 	 * @param identifier The identifier of the encapsulated protocol.
 	 *
 	 * @return false if the analysis failed, else true.
@@ -249,8 +250,9 @@ protected:
 	 * Triggers default analysis of the encapsulated packet if the default analyzer
 	 * is set.
 	 *
+	 * @param len The length of the data left to analyze.
+	 * @param data Pointer to the payload in the raw packet left to analyze.
 	 * @param packet The packet to analyze.
-	 * @param data Reference to the payload pointer into the raw packet.
 	 *
 	 * @return false if the analysis failed, else true.
 	 */
diff --git a/src/packet_analysis/protocol/tcp/TCP.cc b/src/packet_analysis/protocol/tcp/TCP.cc
index fea5acd6a1..6d6dfc4dbb 100644
--- a/src/packet_analysis/protocol/tcp/TCP.cc
+++ b/src/packet_analysis/protocol/tcp/TCP.cc
@@ -125,7 +125,7 @@ void TCPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int remai
 	pkt->session = c;
 
 	// Send the packet back into the packet analysis framework.
-	ForwardPacket(len, data, pkt);
+	ForwardPacket(std::min(len, remaining), data, pkt);
 
 	// Call DeliverPacket on the adapter directly here. Normally we'd call ForwardPacket
 	// but this adapter does some other things in its DeliverPacket with the packet children
diff --git a/src/packet_analysis/protocol/udp/UDP.cc b/src/packet_analysis/protocol/udp/UDP.cc
index a2025a71d4..58f12960a3 100644
--- a/src/packet_analysis/protocol/udp/UDP.cc
+++ b/src/packet_analysis/protocol/udp/UDP.cc
@@ -223,7 +223,7 @@ void UDPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int remai
 	// port here because the orig/resp should have already swapped around based on
 	// likely_server_ports. This also prevents us from processing things twice if protocol
 	// detection has to be used.
-	ForwardPacket(len, data, pkt, ntohs(c->RespPort()));
+	ForwardPacket(std::min(len, remaining), data, pkt, ntohs(c->RespPort()));
 
 	// Also try sending it into session analysis.
 	if ( remaining >= len )