diff --git a/CHANGES b/CHANGES
index 7c73ffe0b2..cf6d0fb721 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,15 @@
+4.2.0-dev.43 | 2021-07-21 11:41:19 -0700
+
+  * Fix handling of timers when cloning TableVals (Johanna Amann, Corelight)
+
+    When cloning TableVals, a new timer was created for the wrong object
+    (the existing TableVal, not the clone). This lead to the already
+    existing timer being no longer accessible. Which, in turn, leads to an
+    abandoned timer reading into no longer allocated data when the original
+    TableVal is deleted.
+
+    Fixes GH-1687
+
 4.2.0-dev.40 | 2021-07-20 09:58:14 -0700
 
   * Cover in NEWS the inclusion of btest tooling in the installation (Christian Kreibich, Corelight)
diff --git a/VERSION b/VERSION
index 972c09eb46..dd83e9b9b6 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-4.2.0-dev.40
+4.2.0-dev.43
diff --git a/src/Val.cc b/src/Val.cc
index 3c561ff81f..7f8d76cebc 100644
--- a/src/Val.cc
+++ b/src/Val.cc
@@ -2768,8 +2768,8 @@ ValPtr TableVal::DoClone(CloneState* state)
 
 		// As network_time is not necessarily initialized yet, we set
 		// a timer which fires immediately.
-		timer = new TableValTimer(this, 1);
-		detail::timer_mgr->Add(timer);
+		tv->timer = new TableValTimer(tv.get(), 1);
+		detail::timer_mgr->Add(tv->timer);
 		}
 
 	if ( expire_func )
diff --git a/testing/btest/language/expire-redef.zeek b/testing/btest/language/expire-redef.zeek
index 3958ef8342..10906a2b91 100644
--- a/testing/btest/language/expire-redef.zeek
+++ b/testing/btest/language/expire-redef.zeek
@@ -35,3 +35,9 @@ event zeek_init() &priority=-10
 	data[0] = "some data";
 	schedule 4sec { do_it() };
 	}
+
+# Test that re-defing a table with an expiry in a specific way
+# does not crash Zeek; see GH-1687.
+
+global hosts: set[addr] &create_expire=1day &redef;
+redef hosts: set[addr] = {};