diff --git a/builtin/logical/pki/backend_test.go b/builtin/logical/pki/backend_test.go
index aef9d9451..51f986b53 100644
--- a/builtin/logical/pki/backend_test.go
+++ b/builtin/logical/pki/backend_test.go
@@ -5641,11 +5641,11 @@ func TestBackend_InitializeCertificateCounts(t *testing.T) {
 	b.initializeStoredCertificateCounts(ctx)
 
 	// Test certificate count
-	if *(b.certCount) != 8 {
+	if atomic.LoadUint32(b.certCount) != 8 {
 		t.Fatalf("Failed to initialize count of certificates root, A,B,C,D,E,F,G counted %d certs", *(b.certCount))
 	}
 
-	if *(b.revokedCertCount) != 4 {
+	if atomic.LoadUint32(b.revokedCertCount) != 4 {
 		t.Fatalf("Failed to count revoked certificates A,B,C,D counted %d certs", *(b.revokedCertCount))
 	}
 
diff --git a/builtin/logical/pki/path_tidy.go b/builtin/logical/pki/path_tidy.go
index b8902fca0..8bd22da10 100644
--- a/builtin/logical/pki/path_tidy.go
+++ b/builtin/logical/pki/path_tidy.go
@@ -1020,8 +1020,8 @@ func (b *backend) pathTidyStatusRead(_ context.Context, _ *logical.Request, _ *f
 		resp.Data["time_finished"] = b.tidyStatus.timeFinished
 	}
 
-	resp.Data["current_cert_store_count"] = b.certCount
-	resp.Data["current_revoked_cert_count"] = b.revokedCertCount
+	resp.Data["current_cert_store_count"] = atomic.LoadUint32(b.certCount)
+	resp.Data["current_revoked_cert_count"] = atomic.LoadUint32(b.revokedCertCount)
 
 	if !b.certsCounted.Load() {
 		resp.AddWarning("Certificates in storage are still being counted, current counts provided may be " +
diff --git a/changelog/18899.txt b/changelog/18899.txt
new file mode 100644
index 000000000..92f2474ed
--- /dev/null
+++ b/changelog/18899.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+secrets/pki: fix race between tidy's cert counting and tidy status reporting.
+```