diff --git a/CHANGES b/CHANGES
index 5867e69ba6..a7b4cfc7be 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+5.0.0-dev.396 | 2022-05-13 16:50:53 -0700
+
+  * Fix UB during early shutdown on OpenSSL state (Dominik Charousset, Corelight)
+
 5.0.0-dev.393 | 2022-05-13 16:48:56 -0700
 
   * Correcly typify bloom filters in all cases during merge (Johanna Amann)
diff --git a/VERSION b/VERSION
index 2d17a6d7ee..d6f0c1a19f 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-5.0.0-dev.393
+5.0.0-dev.396
diff --git a/src/zeek-setup.cc b/src/zeek-setup.cc
index 226e5c8188..f682d39118 100644
--- a/src/zeek-setup.cc
+++ b/src/zeek-setup.cc
@@ -823,8 +823,21 @@ SetupResult setup(int argc, char** argv, Options* zopts)
 		if ( supervisor_mgr )
 			supervisor_mgr->InitPostScript();
 
+		// After spinning up Broker, we have background threads running now. If
+		// we exit early, we need to shut down at least Broker to get a clean
+		// program exit. Otherwise, we may run into undefined behavior, e.g., if
+		// Broker is still accessing OpenSSL but OpenSSL has already cleaned up
+		// its state due to calling exit().
+		auto early_shutdown = []
+		{
+			broker_mgr->Terminate();
+			delete iosource_mgr;
+			delete telemetry_mgr;
+		};
+
 		if ( options.print_plugins )
 			{
+			early_shutdown();
 			bool success = show_plugins(options.print_plugins);
 			exit(success ? 0 : 1);
 			}
@@ -843,7 +856,7 @@ SetupResult setup(int argc, char** argv, Options* zopts)
 
 		if ( reporter->Errors() > 0 )
 			{
-			delete dns_mgr;
+			early_shutdown();
 			exit(1);
 			}
 
@@ -880,7 +893,7 @@ SetupResult setup(int argc, char** argv, Options* zopts)
 			rule_matcher = new RuleMatcher(options.signature_re_level);
 			if ( ! rule_matcher->ReadFiles(all_signature_files) )
 				{
-				delete dns_mgr;
+				early_shutdown();
 				exit(1);
 				}
 
@@ -913,6 +926,7 @@ SetupResult setup(int argc, char** argv, Options* zopts)
 			if ( analysis_options.usage_issues > 0 )
 				analyze_scripts();
 
+			early_shutdown();
 			exit(reporter->Errors() != 0);
 			}
 
@@ -921,8 +935,11 @@ SetupResult setup(int argc, char** argv, Options* zopts)
 		analyze_scripts();
 
 		if ( analysis_options.report_recursive )
+			{
 			// This option is report-and-exit.
+			early_shutdown();
 			exit(0);
+			}
 
 		if ( dns_type != DNS_PRIME )
 			run_state::detail::init_run(options.interface, options.pcap_file,
@@ -951,7 +968,7 @@ SetupResult setup(int argc, char** argv, Options* zopts)
 				reporter->FatalError("can't update DNS cache");
 
 			event_mgr.Drain();
-			delete dns_mgr;
+			early_shutdown();
 			exit(0);
 			}
 
@@ -968,6 +985,7 @@ SetupResult setup(int argc, char** argv, Options* zopts)
 			id->DescribeExtended(&desc);
 
 			fprintf(stdout, "%s\n", desc.Description());
+			early_shutdown();
 			exit(0);
 			}