diff --git a/libwvdrmengine/cdm/core/src/crypto_session.cpp b/libwvdrmengine/cdm/core/src/crypto_session.cpp
index 72fea8d6..42d09941 100644
--- a/libwvdrmengine/cdm/core/src/crypto_session.cpp
+++ b/libwvdrmengine/cdm/core/src/crypto_session.cpp
@@ -833,38 +833,37 @@ CdmResponseType CryptoSession::LoadKeys(
     const std::vector<CryptoKey>& keys,
     const std::string& provider_session_token,
     const std::string& srm_requirement, CdmLicenseKeyType key_type) {
-  LOGV("CryptoSession::LoadKeys: Lock");
-  AutoLock auto_lock(crypto_lock_);
-
-  if (key_type == kLicenseKeyTypeEntitlement &&
-      key_session_->Type() != KeySession::kEntitlement) {
-    key_session_.reset(new EntitlementKeySession(oec_session_id_, metrics_));
-  }
-
-  LOGV("LoadKeys: id=%lu", oec_session_id_);
-  OEMCryptoResult sts = key_session_->LoadKeys(
-      message, signature, mac_key_iv, mac_key, keys, provider_session_token,
-      &cipher_mode_, srm_requirement);
-
   CdmResponseType result = KEY_ADDED;
-  if (OEMCrypto_SUCCESS == sts) {
-    if (!provider_session_token.empty())
-      update_usage_table_after_close_session_ = true;
-    result = KEY_ADDED;
-  } else if (OEMCrypto_ERROR_TOO_MANY_KEYS == sts) {
-    LOGE("CryptoSession::LoadKeys: OEMCrypto_LoadKeys error=%d", sts);
-    result = INSUFFICIENT_CRYPTO_RESOURCES_4;
-  } else if (OEMCrypto_ERROR_USAGE_TABLE_UNRECOVERABLE == sts) {
-    // Handle vendor specific error
-    LOGE("CryptoSession::LoadKeys: OEMCrypto_LoadKeys error=%d", sts);
-    result = NEED_PROVISIONING;
-  } else {
-    LOGE("CryptoSession::LoadKeys: OEMCrypto_LoadKeys error=%d", sts);
-    result = LOAD_KEY_ERROR;
-  }
+  {
+    LOGV("CryptoSession::LoadKeys: Lock");
+    AutoLock auto_lock(crypto_lock_);
 
-  // Leaving critical section
-  crypto_lock_.Release();
+    if (key_type == kLicenseKeyTypeEntitlement &&
+        key_session_->Type() != KeySession::kEntitlement) {
+      key_session_.reset(new EntitlementKeySession(oec_session_id_, metrics_));
+    }
+
+    LOGV("LoadKeys: id=%lu", oec_session_id_);
+    OEMCryptoResult sts = key_session_->LoadKeys(
+        message, signature, mac_key_iv, mac_key, keys, provider_session_token,
+        &cipher_mode_, srm_requirement);
+
+    if (OEMCrypto_SUCCESS == sts) {
+      if (!provider_session_token.empty())
+        update_usage_table_after_close_session_ = true;
+      result = KEY_ADDED;
+    } else if (OEMCrypto_ERROR_TOO_MANY_KEYS == sts) {
+      LOGE("CryptoSession::LoadKeys: OEMCrypto_LoadKeys error=%d", sts);
+      result = INSUFFICIENT_CRYPTO_RESOURCES_4;
+    } else if (OEMCrypto_ERROR_USAGE_TABLE_UNRECOVERABLE == sts) {
+      // Handle vendor specific error
+      LOGE("CryptoSession::LoadKeys: OEMCrypto_LoadKeys error=%d", sts);
+      result = NEED_PROVISIONING;
+    } else {
+      LOGE("CryptoSession::LoadKeys: OEMCrypto_LoadKeys error=%d", sts);
+      result = LOAD_KEY_ERROR;
+    }
+  } // Release crypto_lock_
 
   if (!provider_session_token.empty() &&
       usage_support_type_ == kUsageTableSupport) {