diff --git a/x/distribution/CHANGELOG.md b/x/distribution/CHANGELOG.md
index 86e4d0044555..7bf4484c429c 100644
--- a/x/distribution/CHANGELOG.md
+++ b/x/distribution/CHANGELOG.md
@@ -66,3 +66,7 @@ Ref: https://keepachangelog.com/en/1.0.0/
 ### Client Breaking Changes
 
 * [#17657](https://github.com/cosmos/cosmos-sdk/pull/17657) Deprecate `CommunityPool` and `FundCommunityPool` rpc methods. Use `x/protocolpool` module's rpc methods instead.
+
+### Bug Fixes
+
+* [#19301](https://github.com/cosmos/cosmos-sdk/pull/19301) Fix vulnerability in `incrementReferenceCount` in distribution.
\ No newline at end of file
diff --git a/x/distribution/keeper/validator.go b/x/distribution/keeper/validator.go
index 5132d3102e81..fe87cd34821f 100644
--- a/x/distribution/keeper/validator.go
+++ b/x/distribution/keeper/validator.go
@@ -124,10 +124,11 @@ func (k Keeper) incrementReferenceCount(ctx context.Context, valAddr sdk.ValAddr
 	if err != nil {
 		return err
 	}
+
+	historical.ReferenceCount++
 	if historical.ReferenceCount > 2 {
 		panic("reference count should never exceed 2")
 	}
-	historical.ReferenceCount++
 	return k.ValidatorHistoricalRewards.Set(ctx, collections.Join(valAddr, period), historical)
 }