diff --git a/CHANGES b/CHANGES
index 49d3dc3a5d140576eb218596aa8bd863badddc1d..86387c3ae982290453e4dc7105c3933043e70a37 100644
--- a/CHANGES
+++ b/CHANGES
@@ -6,6 +6,22 @@
  For a full list of changes, see the git commit log; for example,
  https://github.com/openssl/openssl/commits/ and pick the appropriate
  release branch.
+ *) Fix excessive time spent checking DH q parameter value.
+
+    The function DH_check() performs various checks on DH parameters. After
+    fixing CVE-2023-3446 it was discovered that a large q parameter value can
+    also trigger an overly long computation during some of these checks.
+    A correct q value, if present, cannot be larger than the modulus p
+    parameter, thus it is unnecessary to perform these checks if q is larger
+    than p.
+
+    If DH_check() is called with such q parameter value,
+    DH_CHECK_INVALID_Q_VALUE return flag is set and the computationally
+    intensive checks are skipped.
+
+    (CVE-2023-3817)
+    [Tomáš Mráz]
+
  *) Fix DH_check() excessive time with over sized modulus
 
     The function DH_check() performs various checks on DH parameters. One of
diff --git a/NEWS b/NEWS
index cfffa3b5b7d2771c5a8761eeec3eff24710ac29c..2c98296c93abea0645f86a8a2682efcef82c5ba2 100644
--- a/NEWS
+++ b/NEWS
@@ -4,6 +4,7 @@
 
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
+      o Fix excessive time spent checking DH q parameter value (CVE-2023-3817)
       o Fix DH_check() excessive time with over sized modulus (CVE-2023-3446)
       o Fixed documentation of X509_VERIFY_PARAM_add0_policy() (CVE-2023-0466)
       o Mitigate for very slow `OBJ_obj2txt()` performance with gigantic
diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
index e5f9dd5030e0175f0166a4d00566f87ac63cd67c..285434121c5310e3365cb6f82912d64135d795a4 100644
--- a/crypto/dh/dh_check.c
+++ b/crypto/dh/dh_check.c
@@ -97,7 +97,7 @@ int DH_check_ex(const DH *dh)
 
 int DH_check(const DH *dh, int *ret)
 {
-    int ok = 0, r;
+    int ok = 0, r, q_good = 0;
     BN_CTX *ctx = NULL;
     BIGNUM *t1 = NULL, *t2 = NULL;
 
@@ -119,7 +119,14 @@ int DH_check(const DH *dh, int *ret)
     if (t2 == NULL)
         goto err;
 
-    if (dh->q) {
+    if (dh->q != NULL) {
+        if (BN_ucmp(dh->p, dh->q) > 0)
+            q_good = 1;
+        else
+            *ret |= DH_CHECK_INVALID_Q_VALUE;
+    }
+
+    if (q_good) {
         if (BN_cmp(dh->g, BN_value_one()) <= 0)
             *ret |= DH_NOT_SUITABLE_GENERATOR;
         else if (BN_cmp(dh->g, dh->p) >= 0)