diff --git a/quic/conn.go b/quic/conn.go
index fbd8b843..bf54409b 100644
--- a/quic/conn.go
+++ b/quic/conn.go
@@ -216,6 +216,9 @@ func (c *Conn) confirmHandshake(now time.Time) {
 // discardKeys discards unused packet protection keys.
 // https://www.rfc-editor.org/rfc/rfc9001#section-4.9
 func (c *Conn) discardKeys(now time.Time, space numberSpace) {
+	if err := c.crypto[space].discardKeys(); err != nil {
+		c.abort(now, err)
+	}
 	switch space {
 	case initialSpace:
 		c.keysInitial.discard()
diff --git a/quic/crypto_stream.go b/quic/crypto_stream.go
index a4dcb32e..806c9639 100644
--- a/quic/crypto_stream.go
+++ b/quic/crypto_stream.go
@@ -139,3 +139,21 @@ func (s *cryptoStream) sendData(off int64, b []byte) {
 	s.out.copy(off, b)
 	s.outunsent.sub(off, off+int64(len(b)))
 }
+
+// discardKeys is called when the packet protection keys for the stream are dropped.
+func (s *cryptoStream) discardKeys() error {
+	if s.in.end-s.in.start != 0 {
+		// The peer sent some unprocessed CRYPTO data that we're about to discard.
+		// Close the connetion with a TLS unexpected_message alert.
+		// https://www.rfc-editor.org/rfc/rfc5246#section-7.2.2
+		const unexpectedMessage = 10
+		return localTransportError{
+			code:   errTLSBase + unexpectedMessage,
+			reason: "excess crypto data",
+		}
+	}
+	// Discard any unacked (but presumably received) data in our output buffer.
+	s.out.discardBefore(s.out.end)
+	*s = cryptoStream{}
+	return nil
+}
diff --git a/quic/tls_test.go b/quic/tls_test.go
index 9c1dd364..f4abdda5 100644
--- a/quic/tls_test.go
+++ b/quic/tls_test.go
@@ -615,3 +615,32 @@ func TestConnAEADLimitReached(t *testing.T) {
 	tc.advance(1 * time.Second)
 	tc.wantIdle("auth failures at limit: conn does not process additional packets")
 }
+
+func TestConnKeysDiscardedWithExcessCryptoData(t *testing.T) {
+	tc := newTestConn(t, serverSide, permissiveTransportParameters)
+	tc.ignoreFrame(frameTypeAck)
+	tc.ignoreFrame(frameTypeNewConnectionID)
+	tc.ignoreFrame(frameTypeCrypto)
+
+	// One byte of excess CRYPTO data, separated from the valid data by a one-byte gap.
+	tc.writeFrames(packetTypeInitial,
+		debugFrameCrypto{
+			off:  int64(len(tc.cryptoDataIn[tls.QUICEncryptionLevelInitial]) + 1),
+			data: []byte{0},
+		})
+	tc.writeFrames(packetTypeInitial,
+		debugFrameCrypto{
+			data: tc.cryptoDataIn[tls.QUICEncryptionLevelInitial],
+		})
+
+	// We don't drop the Initial keys and discover the excess data until the client
+	// sends a Handshake packet.
+	tc.writeFrames(packetTypeHandshake,
+		debugFrameCrypto{
+			data: tc.cryptoDataIn[tls.QUICEncryptionLevelHandshake],
+		})
+	tc.wantFrame("connection closed due to excess Initial CRYPTO data",
+		packetType1RTT, debugFrameConnectionCloseTransport{
+			code: errTLSBase + 10,
+		})
+}