diff --git a/Lib/test/test_zlib.py b/Lib/test/test_zlib.py
index eed8164018f..f3dffd6f71d 100644
--- a/Lib/test/test_zlib.py
+++ b/Lib/test/test_zlib.py
@@ -396,6 +396,18 @@ class CompressObjectTestCase(BaseCompressTestCase, unittest.TestCase):
         y += dco.flush()
         self.assertEqual(y, 'foo')
 
+    def test_flush_with_freed_input(self):
+        # Issue #16411: decompressor accesses input to last decompress() call
+        # in flush(), even if this object has been freed in the meanwhile.
+        input1 = 'abcdefghijklmnopqrstuvwxyz'
+        input2 = 'QWERTYUIOPASDFGHJKLZXCVBNM'
+        data = zlib.compress(input1)
+        dco = zlib.decompressobj()
+        dco.decompress(data, 1)
+        del data
+        data = zlib.compress(input2)
+        self.assertEqual(dco.flush(), input1[1:])
+
     if hasattr(zlib.compressobj(), "copy"):
         def test_compresscopy(self):
             # Test copying a compression object
diff --git a/Misc/NEWS b/Misc/NEWS
index 93aec6b8bd7..a4a4105abdf 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -140,6 +140,9 @@ Core and Builtins
 Library
 -------
 
+- Issue #16411: Fix a bug where zlib.decompressobj().flush() might try to access
+  previously-freed memory. Patch by Serhiy Storchaka.
+
 - Issue #16350: zlib.decompressobj().decompress() now accumulates data from
   successive calls after EOF in unused_data, instead of only saving the argument
   to the last call. decompressobj().flush() now correctly sets unused_data and
diff --git a/Modules/zlibmodule.c b/Modules/zlibmodule.c
index b9e207e595a..d6c6728f8ec 100644
--- a/Modules/zlibmodule.c
+++ b/Modules/zlibmodule.c
@@ -830,6 +830,8 @@ PyZlib_unflush(compobject *self, PyObject *args)
     ENTER_ZLIB
 
     start_total_out = self->zst.total_out;
+    self->zst.avail_in = PyBytes_GET_SIZE(self->unconsumed_tail);
+    self->zst.next_in = (Byte *)PyBytes_AS_STRING(self->unconsumed_tail);
     self->zst.avail_out = length;
     self->zst.next_out = (Byte *)PyString_AS_STRING(retval);