diff --git a/Zend/tests/property_hooks/gh16040.phpt b/Zend/tests/property_hooks/gh16040.phpt
new file mode 100644
index 0000000000000..69bca517c2d67
--- /dev/null
+++ b/Zend/tests/property_hooks/gh16040.phpt
@@ -0,0 +1,20 @@
+--TEST--
+GH-16040: Use-after-free on object released in hook
+--FILE--
+<?php
+
+class A {
+    public $bar {
+        get {
+            $GLOBALS['a'] = null;
+            return 42;
+        }
+    }
+}
+
+$a = new A();
+var_dump($a->bar);
+
+?>
+--EXPECT--
+int(42)
diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c
index 64e494200eeac..106ce27830283 100644
--- a/Zend/zend_object_handlers.c
+++ b/Zend/zend_object_handlers.c
@@ -828,8 +828,8 @@ ZEND_API zval *zend_std_read_property(zend_object *zobj, zend_string *name, int
 
 		if (EXPECTED(cache_slot
 		 && zend_execute_ex == execute_ex
-		 && zobj->ce->default_object_handlers->read_property == zend_std_read_property
-		 && !zobj->ce->create_object
+		 && ce->default_object_handlers->read_property == zend_std_read_property
+		 && !ce->create_object
 		 && !zend_is_in_hook(prop_info)
 		 && !(prop_info->hooks[ZEND_PROPERTY_HOOK_GET]->common.fn_flags & ZEND_ACC_RETURN_REFERENCE))) {
 			ZEND_SET_PROPERTY_HOOK_SIMPLE_GET(cache_slot);