diff --git a/Lib/html/parser.py b/Lib/html/parser.py
index 12c28b8339f..a650d5eeded 100644
--- a/Lib/html/parser.py
+++ b/Lib/html/parser.py
@@ -264,9 +264,9 @@ class HTMLParser(_markupbase.ParserBase):
                     i = self.updatepos(i, k)
                     continue
                 else:
-                    if ";" in rawdata[i:]: #bail by consuming &#
-                        self.handle_data(rawdata[0:2])
-                        i = self.updatepos(i, 2)
+                    if ";" in rawdata[i:]:  # bail by consuming &#
+                        self.handle_data(rawdata[i:i+2])
+                        i = self.updatepos(i, i+2)
                     break
             elif startswith('&', i):
                 match = entityref.match(rawdata, i)
diff --git a/Lib/test/test_htmlparser.py b/Lib/test/test_htmlparser.py
index 1a480c81872..2d771a2a974 100644
--- a/Lib/test/test_htmlparser.py
+++ b/Lib/test/test_htmlparser.py
@@ -167,6 +167,12 @@ text
             ("data", "&#bad;"),
             ("endtag", "p"),
         ])
+        # add the [] as a workaround to avoid buffering (see #20288)
+        self._run_check(["<div>&#bad;</div>"], [
+            ("starttag", "div", []),
+            ("data", "&#bad;"),
+            ("endtag", "div"),
+        ])
 
     def test_unclosed_entityref(self):
         self._run_check("&entityref foo", [
diff --git a/Misc/NEWS b/Misc/NEWS
index 71892a6d6e4..7e96863eb80 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -41,6 +41,8 @@ Library
   ValueError instead of assert for forbidden subprocess_{shell,exec}
   arguments.  (More to follow -- a convenience API for subprocesses.)
 
+- Issue #20288: fix handling of invalid numeric charrefs in HTMLParser.
+
 - Issue #20424: Python implementation of io.StringIO now supports lone surrogates.
 
 - Issue #20308: inspect.signature now works on classes without user-defined