diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index bca6af8471fcd..5603700ecc98d 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -29,7 +29,8 @@
 /ext/json @bukka
 /ext/libxml @nielsdos
 /ext/mbstring @alexdowad @youkidearitai
-/ext/mysqlnd @SakiTakamachi
+/ext/mysqli @bukka @kamil-tekiela
+/ext/mysqlnd @bukka @kamil-tekiela @SakiTakamachi
 /ext/odbc @NattyNarwhal
 /ext/opcache @dstogov
 /ext/openssl @bukka
@@ -37,7 +38,7 @@
 /ext/pdo @SakiTakamachi
 /ext/pdo_dblib @SakiTakamachi
 /ext/pdo_firebird @SakiTakamachi
-/ext/pdo_mysql @SakiTakamachi
+/ext/pdo_mysql @kamil-tekiela @SakiTakamachi
 /ext/pdo_odbc @NattyNarwhal @SakiTakamachi
 /ext/pdo_pgsql @devnexen @SakiTakamachi
 /ext/pdo_sqlite @SakiTakamachi
diff --git a/ext/dom/php_dom.c b/ext/dom/php_dom.c
index 1327cfad6604b..21741166c61aa 100644
--- a/ext/dom/php_dom.c
+++ b/ext/dom/php_dom.c
@@ -1465,6 +1465,10 @@ void dom_namednode_iter(dom_object *basenode, int ntype, dom_object *intern, xml
 	mapptr->baseobj = basenode;
 	mapptr->nodetype = ntype;
 	mapptr->ht = ht;
+	if (EXPECTED(doc != NULL)) {
+		mapptr->dict = doc->dict;
+		xmlDictReference(doc->dict);
+	}
 
 	const xmlChar* tmp;
 
@@ -1578,6 +1582,7 @@ void dom_nnodemap_objects_free_storage(zend_object *object) /* {{{ */
 		if (!Z_ISUNDEF(objmap->baseobj_zv)) {
 			zval_ptr_dtor(&objmap->baseobj_zv);
 		}
+		xmlDictFree(objmap->dict);
 		efree(objmap);
 		intern->ptr = NULL;
 	}
@@ -1609,6 +1614,7 @@ zend_object *dom_nnodemap_objects_new(zend_class_entry *class_type)
 	objmap->cached_length = -1;
 	objmap->cached_obj = NULL;
 	objmap->cached_obj_index = 0;
+	objmap->dict = NULL;
 
 	return &intern->std;
 }
diff --git a/ext/dom/php_dom.h b/ext/dom/php_dom.h
index 7dd8cc896b48a..8a2011d8ea432 100644
--- a/ext/dom/php_dom.h
+++ b/ext/dom/php_dom.h
@@ -88,6 +88,7 @@ typedef struct dom_nnodemap_object {
 	php_libxml_cache_tag cache_tag;
 	dom_object *cached_obj;
 	zend_long cached_obj_index;
+	xmlDictPtr dict;
 	bool free_local : 1;
 	bool free_ns : 1;
 } dom_nnodemap_object;
diff --git a/ext/dom/tests/gh16906.phpt b/ext/dom/tests/gh16906.phpt
new file mode 100644
index 0000000000000..791ca13b390e0
--- /dev/null
+++ b/ext/dom/tests/gh16906.phpt
@@ -0,0 +1,17 @@
+--TEST--
+GH-16906 (Reloading document can cause UAF in iterator)
+--EXTENSIONS--
+dom
+--FILE--
+<?php
+$doc = new DOMDocument;
+$doc->loadXML('<?xml version="1.0"?><span><strong id="1"/><strong id="2"/></span>');
+$list = $doc->getElementsByTagName('strong');
+$doc->load(__DIR__."/book.xml");
+var_dump($list);
+?>
+--EXPECT--
+object(DOMNodeList)#2 (1) {
+  ["length"]=>
+  int(0)
+}
diff --git a/ext/mysqli/tests/fake_server.inc b/ext/mysqli/tests/fake_server.inc
index b02fabc584c5d..1127f6c00e3f9 100644
--- a/ext/mysqli/tests/fake_server.inc
+++ b/ext/mysqli/tests/fake_server.inc
@@ -552,8 +552,8 @@ class my_mysqli_fake_server_conn
 
     public function read($bytes_len = 1024)
     {
-        // wait 10ms to fill the buffer
-        usleep(10000);
+        // wait 20ms to fill the buffer
+        usleep(20000);
         $data = fread($this->conn, $bytes_len);
         if ($data) {
             fprintf(STDERR, "[*] Received: %s\n", bin2hex($data));
diff --git a/ext/mysqli/tests/ghsa-h35g-vwh6-m678-auth-message.phpt b/ext/mysqli/tests/ghsa-h35g-vwh6-m678-auth-message.phpt
index db54a6c0177a1..279aec6a2cba1 100644
--- a/ext/mysqli/tests/ghsa-h35g-vwh6-m678-auth-message.phpt
+++ b/ext/mysqli/tests/ghsa-h35g-vwh6-m678-auth-message.phpt
@@ -6,7 +6,7 @@ mysqli
 <?php
 require_once 'fake_server.inc';
 
-$port = 50001;
+$port = 33305;
 $servername = "127.0.0.1";
 $username = "root";
 $password = "";
@@ -34,5 +34,5 @@ print "done!";
 [*] Sending - Malicious OK Auth Response [Extract heap through buffer over-read]: 0900000200000002000000fcff
 
 Warning: mysqli::__construct(): OK packet message length is past the packet size in %s on line %d
-Unknown error while trying to connect via tcp://127.0.0.1:50001
+Unknown error while trying to connect via tcp://127.0.0.1:33305
 done!