diff --git a/changes/bug40828 b/changes/bug40828
new file mode 100644
index 0000000000..7cc2126f1a
--- /dev/null
+++ b/changes/bug40828
@@ -0,0 +1,3 @@
+  o Minor bugfixes (protocol warn):
+    - Wrap a handful of cases where ProtocolWarning logs could emit IP
+      addresses. Fixes bug 40828; bugfix on 0.3.5.1-alpha.
diff --git a/src/core/mainloop/mainloop.c b/src/core/mainloop/mainloop.c
index 3702f3a74e..658b4b47ee 100644
--- a/src/core/mainloop/mainloop.c
+++ b/src/core/mainloop/mainloop.c
@@ -1271,8 +1271,8 @@ run_connection_housekeeping(int i, time_t now)
     log_fn(LOG_PROTOCOL_WARN,LD_PROTOCOL,
            "Expiring stuck OR connection to fd %d (%s:%d). (%d bytes to "
            "flush; %d seconds since last write)",
-           (int)conn->s, fmt_and_decorate_addr(&conn->addr), conn->port,
-           (int)connection_get_outbuf_len(conn),
+           (int)conn->s, safe_str(fmt_and_decorate_addr(&conn->addr)),
+           conn->port, (int)connection_get_outbuf_len(conn),
            (int)(now-conn->timestamp_last_write_allowed));
     connection_or_close_normally(TO_OR_CONN(conn), 0);
   } else if (past_keepalive && !connection_get_outbuf_len(conn)) {
diff --git a/src/core/or/relay.c b/src/core/or/relay.c
index 2c722f01cc..3af9435a76 100644
--- a/src/core/or/relay.c
+++ b/src/core/or/relay.c
@@ -1469,7 +1469,7 @@ connection_edge_process_relay_cell_not_open(
           (get_options()->ClientDNSRejectInternalAddresses &&
            tor_addr_is_internal(&addr, 0))) {
         log_info(LD_APP, "...but it claims the IP address was %s. Closing.",
-                 fmt_addr(&addr));
+                 safe_str(fmt_addr(&addr)));
         connection_edge_end(conn, END_STREAM_REASON_TORPROTOCOL);
         connection_mark_unattached_ap(entry_conn,
                                       END_STREAM_REASON_TORPROTOCOL);
@@ -1480,7 +1480,7 @@ connection_edge_process_relay_cell_not_open(
           (family == AF_INET6 && ! entry_conn->entry_cfg.ipv6_traffic)) {
         log_fn(LOG_PROTOCOL_WARN, LD_APP,
                "Got a connected cell to %s with unsupported address family."
-               " Closing.", fmt_addr(&addr));
+               " Closing.", safe_str(fmt_addr(&addr)));
         connection_edge_end(conn, END_STREAM_REASON_TORPROTOCOL);
         connection_mark_unattached_ap(entry_conn,
                                       END_STREAM_REASON_TORPROTOCOL);
diff --git a/src/feature/hs/hs_common.c b/src/feature/hs/hs_common.c
index 6547372161..cd7e4890d1 100644
--- a/src/feature/hs/hs_common.c
+++ b/src/feature/hs/hs_common.c
@@ -1680,7 +1680,7 @@ hs_get_extend_info_from_lspecs(const smartlist_t *lspecs,
   if (!extend_info_addr_is_allowed(&ap.addr)) {
     log_fn(LOG_PROTOCOL_WARN, LD_REND,
            "Requested address is private and we are not allowed to extend to "
-           "it: %s:%u", fmt_addr(&ap.addr), ap.port);
+           "it: %s:%u", safe_str(fmt_addr(&ap.addr)), ap.port);
     goto done;
   }
 
diff --git a/src/feature/relay/relay_find_addr.c b/src/feature/relay/relay_find_addr.c
index 5a32283a7b..106117b236 100644
--- a/src/feature/relay/relay_find_addr.c
+++ b/src/feature/relay/relay_find_addr.c
@@ -78,7 +78,7 @@ relay_address_new_suggestion(const tor_addr_t *suggested_addr,
     /* Do not believe anyone who says our address is their address. */
     log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
            "A relay endpoint %s is telling us that their address is ours.",
-           fmt_addr(peer_addr));
+           safe_str(fmt_addr(peer_addr)));
     return;
   }