diff --git a/CHANGES b/CHANGES
index a774d35724..605c8cc7d6 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,9 @@
+7.1.0-dev.109 | 2024-08-07 14:10:54 +0200
+
+  * ldap: Promote uint8 to uint64 before shifting (Arne Welzel, Corelight)
+
+    Relates to zeek/spicy#1829
+
 7.1.0-dev.107 | 2024-08-07 11:43:15 +0200
 
   * ci/ubuntu-24.04: Use ccache 4.10.2 (Arne Welzel, Corelight)
diff --git a/VERSION b/VERSION
index 0ed69d9a81..3439a3df40 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-7.1.0-dev.107
+7.1.0-dev.109
diff --git a/src/analyzer/protocol/ldap/ldap.spicy b/src/analyzer/protocol/ldap/ldap.spicy
index 52ab0e6160..0816e6afe9 100644
--- a/src/analyzer/protocol/ldap/ldap.spicy
+++ b/src/analyzer/protocol/ldap/ldap.spicy
@@ -196,7 +196,7 @@ type MaybeEncrypted = unit(ctx: Ctx&) {
   # If so, switch into KRB mode assuming that's what is being used and
   # have a chance seeing some more plaintext LDAP in non-sealed tokens.
   rem: uint8[3] if ( ctx.messageMode == MessageMode::ENCRYPTED && (|self.mech| == 0 || self.mech.starts_with(b"GSS")) ) {
-    self.saslLen = (self.first << 24) + ($$[0] << 16) + ($$[1] << 8) + $$[2];
+    self.saslLen = (uint64(self.first) << 24) + (uint64($$[0]) << 16) + (uint64($$[1]) << 8) + uint64($$[2]);
   }
 
   : uint16 if ( self.saslLen >= 2 ) {