diff --git a/CHANGES b/CHANGES
index 9c6df9d..8328840 100644
--- a/CHANGES
+++ b/CHANGES
@@ -34,6 +34,9 @@ Corrections:
 
 	Fixed an internal FD leak in the EXEC,SYSTEM addresses.
 
+	The FDs of the socketpair that queues messages from signal handlers
+	lacked FD_CLOEXEC and thus leaked into EXEC and SYSTEM child processes.
+
 Features:
 	VSOCK, VSOCK-L support options pf, socktype, prototype (currently
 	useless)
diff --git a/error.c b/error.c
index 2fad6c2..a080ee2 100644
--- a/error.c
+++ b/error.c
@@ -119,6 +119,8 @@ static int diag_sock_pair(void) {
       diag_sock_recv = -1;
       return -1;
    }
+   fcntl(handlersocks[0], F_SETFD, FD_CLOEXEC);
+   fcntl(handlersocks[1], F_SETFD, FD_CLOEXEC);
    diag_sock_send = handlersocks[1];
    diag_sock_recv = handlersocks[0];
 #if !defined(MSG_DONTWAIT)