diff --git a/lib/nvmf/vfio_user.c b/lib/nvmf/vfio_user.c
index e73232cd7..63468e5da 100644
--- a/lib/nvmf/vfio_user.c
+++ b/lib/nvmf/vfio_user.c
@@ -2767,6 +2767,19 @@ nvmf_vfio_user_qpair_poll(struct nvmf_vfio_user_qpair *qpair)
 	 */
 	spdk_rmb();
 
+	new_tail = new_tail & 0xffffu;
+	if (spdk_unlikely(new_tail >= qpair->sq.size)) {
+		union spdk_nvme_async_event_completion event = {};
+
+		SPDK_DEBUGLOG(nvmf_vfio, "%s: invalid SQ%u doorbell value %u\n", ctrlr_id(ctrlr), qpair->qpair.qid,
+			      new_tail);
+		event.bits.async_event_type = SPDK_NVME_ASYNC_EVENT_TYPE_ERROR;
+		event.bits.async_event_info = SPDK_NVME_ASYNC_EVENT_INVALID_DB_WRITE;
+		nvmf_ctrlr_async_event_error_event(qpair->qpair.ctrlr, event);
+
+		return 0;
+	}
+
 	if (sq_head(qpair) == new_tail) {
 		return 0;
 	}
diff --git a/test/unit/lib/nvmf/vfio_user.c/vfio_user_ut.c b/test/unit/lib/nvmf/vfio_user.c/vfio_user_ut.c
index 67e4f224e..494f74422 100644
--- a/test/unit/lib/nvmf/vfio_user.c/vfio_user_ut.c
+++ b/test/unit/lib/nvmf/vfio_user.c/vfio_user_ut.c
@@ -51,6 +51,8 @@ DEFINE_STUB(spdk_nvmf_subsystem_get_nqn, const char *,
 	    (const struct spdk_nvmf_subsystem *subsystem), NULL);
 DEFINE_STUB(spdk_bdev_get_block_size, uint32_t, (const struct spdk_bdev *bdev), 512);
 DEFINE_STUB_V(nvmf_ctrlr_abort_aer, (struct spdk_nvmf_ctrlr *ctrlr));
+DEFINE_STUB(nvmf_ctrlr_async_event_error_event, int, (struct spdk_nvmf_ctrlr *ctrlr,
+		union spdk_nvme_async_event_completion event), 0);
 
 static void *
 gpa_to_vva(void *prv, uint64_t addr, uint64_t len, int prot)