diff --git a/libwvdrmengine/cdm/core/src/cdm_engine.cpp b/libwvdrmengine/cdm/core/src/cdm_engine.cpp
index 35fefd92..9682fdf0 100644
--- a/libwvdrmengine/cdm/core/src/cdm_engine.cpp
+++ b/libwvdrmengine/cdm/core/src/cdm_engine.cpp
@@ -396,7 +396,16 @@ CdmResponseType CdmEngine::AddKey(const CdmSessionId& session_id,
     return EMPTY_KEY_DATA_1;
   }
 
-  const CdmResponseType sts = session->AddKey(key_data);
+  CdmResponseType sts = KEY_ADDED;
+  {
+    // TODO(rfrias): Refactor. For now lock while adding keys to prevent
+    // a race condition between this and the decryption thread. This may
+    // occur if |policy_timers_| is reset when PolicyEngine::SetLicense
+    // is called.
+    std::unique_lock<std::recursive_mutex> lock(session_map_lock_);
+    sts = session->AddKey(key_data);
+  }
+
   if (sts == KEY_ADDED) {
     if (session->is_release()) {
       *license_type = kLicenseTypeRelease;
@@ -464,6 +473,7 @@ CdmResponseType CdmEngine::RestoreKey(const CdmSessionId& session_id,
 CdmResponseType CdmEngine::RemoveKeys(const CdmSessionId& session_id) {
   LOGI("session_id = %s", IdToString(session_id));
   std::shared_ptr<CdmSession> session;
+  std::unique_lock<std::recursive_mutex> lock(session_map_lock_);
   if (!session_map_.FindSession(session_id, &session)) {
     LOGE("Session not found: session_id = %s", IdToString(session_id));
     return SESSION_NOT_FOUND_5;
@@ -475,6 +485,7 @@ CdmResponseType CdmEngine::RemoveKeys(const CdmSessionId& session_id) {
 CdmResponseType CdmEngine::RemoveLicense(const CdmSessionId& session_id) {
   LOGI("session_id = %s", IdToString(session_id));
   std::shared_ptr<CdmSession> session;
+  std::unique_lock<std::recursive_mutex> lock(session_map_lock_);
   if (!session_map_.FindSession(session_id, &session)) {
     LOGE("Session not found: session_id = %s", IdToString(session_id));
     return SESSION_NOT_FOUND_19;