diff --git a/NEWS b/NEWS
index 54bf61d7b..9ab5949a6 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,11 @@ For full details, see the git log at: https://github.com/ksh93/ksh
 
 Any uppercase BUG_* names are modernish shell bug IDs.
 
+2020-06-30:
+
+- 'read -u' will no longer crash with a memory fault when given an out of
+  range or negative file descriptor.
+
 2020-06-28:
 
 - Variables created with 'typeset -RF' no longer cause a memory fault
diff --git a/src/cmd/ksh93/bltins/read.c b/src/cmd/ksh93/bltins/read.c
index 358908b52..a94657a07 100644
--- a/src/cmd/ksh93/bltins/read.c
+++ b/src/cmd/ksh93/bltins/read.c
@@ -128,6 +128,8 @@ int	b_read(int argc,char *argv[], Shbltin_t *context)
 		break;
 	    case 'u':
 		fd = (int)opt_info.num;
+		if(opt_info.num<0 || opt_info.num>INT_MAX || (fd>=shp->gd->lim.open_max && !sh_iovalidfd(shp,fd)))
+			errormsg(SH_DICT,ERROR_exit(1),e_file,opt_info.arg); /* reject invalid file descriptors */
 		if(sh_inuse(shp,fd))
 			fd = -1;
 		break;
diff --git a/src/cmd/ksh93/include/version.h b/src/cmd/ksh93/include/version.h
index 5ef73135a..a412613f1 100644
--- a/src/cmd/ksh93/include/version.h
+++ b/src/cmd/ksh93/include/version.h
@@ -17,4 +17,4 @@
 *                  David Korn <dgk@research.att.com>                   *
 *                                                                      *
 ***********************************************************************/
-#define SH_RELEASE	"93u+m 2020-06-28"
+#define SH_RELEASE	"93u+m 2020-06-30"
diff --git a/src/cmd/ksh93/tests/io.sh b/src/cmd/ksh93/tests/io.sh
index 963d645eb..51eba6ce0 100755
--- a/src/cmd/ksh93/tests/io.sh
+++ b/src/cmd/ksh93/tests/io.sh
@@ -557,5 +557,18 @@ result=$("$SHELL" -ic 'echo >(true) >/dev/null' 2>&1)
 [[ -z $result ]] || err_exit 'interactive shells print a PID during process substitution' \
 				"(expected '', got $(printf %q "$result"))"
 
+# ======
+# Out of range file descriptors shouldn't cause 'read -u' to segfault
+"$SHELL" -c 'read -u2000000' 2> /dev/null
+[[ $? == 1 ]] || err_exit "Large file descriptors cause 'read -u' to crash"
+
+# Separately test numbers outside of the 32-bit limit as well
+"$SHELL" -c 'read -u2000000000000' 2> /dev/null
+[[ $? == 1 ]] || err_exit "File descriptors larger than the 32-bit limit cause 'read -u' to crash"
+
+# Negative numbers shouldn't segfault either
+"$SHELL" -c 'read -u-2000000' 2> /dev/null
+[[ $? == 1 ]] || err_exit "Negative file descriptors cause 'read -u' to crash"
+
 # ======
 exit $((Errors<125?Errors:125))