diff --git a/ChangeLog b/ChangeLog
index 5446209..074d376 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -204,6 +204,10 @@ when the newline type is CRLF.
 31. Fix a bug in pcre2test that caused a crash when a locale was set either in 
 the current pattern or a previous one and a wide character was matched.
 
+32. The appearance of \p, \P, or \X in a substitution string when 
+PCRE2_SUBSTITUTE_EXTENDED was set caused a segmentation fault (NULL 
+dereference).
+
 
 Version 10.22 29-July-2016
 --------------------------
diff --git a/src/pcre2_compile.c b/src/pcre2_compile.c
index fbc268d..15d6dd9 100644
--- a/src/pcre2_compile.c
+++ b/src/pcre2_compile.c
@@ -1352,10 +1352,10 @@ entry, ptr is pointing at the character after \. On exit, it points after the
 final code unit of the escape sequence.
 
 This function is also called from pcre2_substitute() to handle escape sequences
-in replacement strings. In this case, the cb argument is NULL, and only
-sequences that define a data character are recognised. The isclass argument is
-not relevant, but the options argument is the final value of the compiled
-pattern's options.
+in replacement strings. In this case, the cb argument is NULL, and in the case 
+of escapes that have further processing, only sequences that define a data
+character are recognised. The isclass argument is not relevant; the options
+argument is the final value of the compiled pattern's options.
 
 Arguments:
   ptrptr         points to the input position pointer
@@ -1405,7 +1405,7 @@ else if ((i = escapes[c - ESCAPES_FIRST]) != 0)
   if (i > 0) c = (uint32_t)i; else  /* Positive is a data character */
     {
     escape = -i;                    /* Else return a special escape */
-    if (escape == ESC_P || escape == ESC_p || escape == ESC_X)
+    if (cb != NULL && (escape == ESC_P || escape == ESC_p || escape == ESC_X))
       cb->external_flags |= PCRE2_HASBKPORX;   /* Note \P, \p, or \X */
     }
   }
diff --git a/testdata/testinput2 b/testdata/testinput2
index de8fe6f..3e08d4a 100644
--- a/testdata/testinput2
+++ b/testdata/testinput2
@@ -4925,4 +4925,7 @@ a)"xI
 /./newline=crlf
 \=ph
 
+/(\x0e00\000000\xc)/replace=\P,substitute_extended
+\x0e00\000000\xc
+
 # End of testinput2 
diff --git a/testdata/testoutput2 b/testdata/testoutput2
index 2d5f529..2476d48 100644
--- a/testdata/testoutput2
+++ b/testdata/testoutput2
@@ -15378,6 +15378,10 @@ Failed: error 109 at offset 6: quantifier does not follow a repeatable item
 \=ph
 No match
 
+/(\x0e00\000000\xc)/replace=\P,substitute_extended
+\x0e00\000000\xc
+Failed: error -57 at offset 2 in replacement: bad escape sequence in replacement string
+
 # End of testinput2 
 Error -63: PCRE2_ERROR_BADDATA (unknown error number)
 Error -62: bad serialized data