diff --git a/changes/bug19066 b/changes/bug19066
new file mode 100644
index 0000000000..c3d1fc789a
--- /dev/null
+++ b/changes/bug19066
@@ -0,0 +1,5 @@
+  o Minor bugfixes (directory authority):
+    - When parsing detached signature, make sure we use the length of the
+      digest algorithm instead of an hardcoded DIGEST256_LEN in order to
+      avoid comparing bytes out of bound with a smaller digest length such
+      as SHA1. Fixes #19066; bugfix on tor-0.2.2.6-alpha.
diff --git a/src/or/routerparse.c b/src/or/routerparse.c
index 600d55294f..e44899f0cf 100644
--- a/src/or/routerparse.c
+++ b/src/or/routerparse.c
@@ -3505,7 +3505,7 @@ networkstatus_parse_detached_signatures(const char *s, const char *eos)
     digest_algorithm_t alg;
     const char *flavor;
     const char *hexdigest;
-    size_t expected_length;
+    size_t expected_length, digest_length;
 
     tok = _tok;
 
@@ -3530,6 +3530,8 @@ networkstatus_parse_detached_signatures(const char *s, const char *eos)
 
     expected_length =
       (alg == DIGEST_SHA1) ? HEX_DIGEST_LEN : HEX_DIGEST256_LEN;
+    digest_length =
+      (alg == DIGEST_SHA1) ? DIGEST_LEN : DIGEST256_LEN;
 
     if (strlen(hexdigest) != expected_length) {
       log_warn(LD_DIR, "Wrong length on consensus-digest in detached "
@@ -3538,12 +3540,12 @@ networkstatus_parse_detached_signatures(const char *s, const char *eos)
     }
     digests = detached_get_digests(sigs, flavor);
     tor_assert(digests);
-    if (!tor_mem_is_zero(digests->d[alg], DIGEST256_LEN)) {
+    if (!tor_mem_is_zero(digests->d[alg], digest_length)) {
       log_warn(LD_DIR, "Multiple digests for %s with %s on detached "
                "signatures document", flavor, algname);
       continue;
     }
-    if (base16_decode(digests->d[alg], DIGEST256_LEN,
+    if (base16_decode(digests->d[alg], digest_length,
                       hexdigest, strlen(hexdigest)) < 0) {
       log_warn(LD_DIR, "Bad encoding on consensus-digest in detached "
                "networkstatus signatures");