diff --git a/core/lib/Drupal/Core/Path/PathValidator.php b/core/lib/Drupal/Core/Path/PathValidator.php
index c132210ca636234277f26109de90942e2313e6b7..978b672cca534b8b68c6a4b3493ae0ee366b50e5 100644
--- a/core/lib/Drupal/Core/Path/PathValidator.php
+++ b/core/lib/Drupal/Core/Path/PathValidator.php
@@ -10,6 +10,7 @@
 use Drupal\Core\Session\AccountInterface;
 use Drupal\Core\Url;
 use Drupal\Core\Routing\RouteObjectInterface;
+use Symfony\Component\HttpFoundation\Exception\BadRequestException;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
 use Symfony\Component\Routing\Exception\MethodNotAllowedException;
@@ -118,7 +119,12 @@ protected function getUrl($path, $access_check) {
       return Url::fromUri($path);
     }
 
-    $request = Request::create('/' . $path);
+    try {
+      $request = Request::create('/' . $path);
+    }
+    catch (BadRequestException) {
+      return FALSE;
+    }
     $attributes = $this->getPathAttributes($path, $request, $access_check);
 
     if (!$attributes) {
@@ -172,6 +178,9 @@ protected function getPathAttributes($path, Request $request, $access_check) {
     catch (MethodNotAllowedException $e) {
       $result = FALSE;
     }
+    catch (BadRequestException) {
+      $result = FALSE;
+    }
 
     $router->setContext($initial_request_context);
     return $result;
diff --git a/core/tests/Drupal/Tests/Core/Path/PathValidatorTest.php b/core/tests/Drupal/Tests/Core/Path/PathValidatorTest.php
index b7b25b5f85dc62e8c2c544ebb5aa83f59e0875b5..1f80c6f6cd6adea9628ec541a062e7ffc576b7c7 100644
--- a/core/tests/Drupal/Tests/Core/Path/PathValidatorTest.php
+++ b/core/tests/Drupal/Tests/Core/Path/PathValidatorTest.php
@@ -444,4 +444,20 @@ public function testGetUrlIfValidWithoutAccessCheck(): void {
     $this->assertEquals(['key' => 'value'], $url->getRouteParameters());
   }
 
+  /**
+   * Tests the getUrlIfValidWithoutAccessCheck() method with an invalid path.
+   *
+   * @covers ::getUrlIfValidWithoutAccessCheck
+   * @covers ::getUrl
+   */
+  public function testGetUrlIfValidWithoutAccessCheckWithInvalidPath(): void {
+    // URLs must not start nor end with ASCII control characters or spaces.
+    $this->assertFalse($this->pathValidator->getUrlIfValidWithoutAccessCheck('foo '));
+    // Also check URL-encoded variant.
+    $this->pathProcessor->expects($this->once())
+      ->method('processInbound')
+      ->willReturnArgument(0);
+    $this->assertFalse($this->pathValidator->getUrlIfValidWithoutAccessCheck('foo%20'));
+  }
+
 }