diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c
index 1638be621..495e03d7f 100644
--- a/wolfcrypt/src/aes.c
+++ b/wolfcrypt/src/aes.c
@@ -9457,6 +9457,9 @@ int wc_AesInit(Aes* aes, void* heap, int devId)
     aes->alFd = -1;
     aes->rdFd = -1;
 #endif
+#if defined(WOLFSSL_DEVCRYPTO_AES) || defined(WOLFSSL_DEVCRYPTO_CBC)
+    aes->ctx.cfd = -1;
+#endif
 
     return ret;
 }
diff --git a/wolfcrypt/src/port/devcrypto/devcrypto_aes.c b/wolfcrypt/src/port/devcrypto/devcrypto_aes.c
index ea872f9db..930ab553f 100644
--- a/wolfcrypt/src/port/devcrypto/devcrypto_aes.c
+++ b/wolfcrypt/src/port/devcrypto/devcrypto_aes.c
@@ -283,7 +283,7 @@ static int wc_DevCrypto_AesGcm(Aes* aes, byte* out, byte* in, word32 sz,
                    const byte* authIn, word32 authInSz,
                    int dir)
 {
-    struct crypt_auth_op crt;
+    struct crypt_auth_op crt = {0};
     int ret;
     byte scratch[AES_BLOCK_SIZE];
 
@@ -299,6 +299,7 @@ static int wc_DevCrypto_AesGcm(Aes* aes, byte* out, byte* in, word32 sz,
     if (in == NULL)
         in = scratch;
 
+    XMEMSET(scratch, 0, AES_BLOCK_SIZE);
     if (aes->ctx.cfd == -1) {
         ret = wc_DevCryptoCreate(&aes->ctx, CRYPTO_AES_GCM, (byte*)aes->devKey,
                 aes->keylen);
diff --git a/wolfcrypt/src/port/devcrypto/devcrypto_hash.c b/wolfcrypt/src/port/devcrypto/devcrypto_hash.c
index 96a9cec8d..9e986336b 100644
--- a/wolfcrypt/src/port/devcrypto/devcrypto_hash.c
+++ b/wolfcrypt/src/port/devcrypto/devcrypto_hash.c
@@ -174,6 +174,8 @@ int wc_Sha256Final(wc_Sha256* sha, byte* hash)
         return BAD_FUNC_ARG;
     }
 
+    /* help static analysis tools out */
+    XMEMSET(hash, 0, WC_SHA256_DIGEST_SIZE);
 #ifdef WOLFSSL_DEVCRYPTO_HASH_KEEP
     /* keep full message to hash at end instead of incremental updates */
     if ((ret = HashUpdate(sha, CRYPTO_SHA2_256, sha->msg, sha->used)) < 0) {
@@ -205,6 +207,8 @@ int wc_Sha256GetHash(wc_Sha256* sha, byte* hash)
         wc_Sha256Copy(sha, &cpy);
 
         if ((ret = HashUpdate(&cpy, CRYPTO_SHA2_256, cpy.msg, cpy.used)) == 0) {
+            /* help static analysis tools out */
+            XMEMSET(hash, 0, WC_SHA256_DIGEST_SIZE);
             ret = GetDigest(&cpy, CRYPTO_SHA2_256, hash);
         }
         wc_Sha256Free(&cpy);
diff --git a/wolfcrypt/src/sha256.c b/wolfcrypt/src/sha256.c
index 804b163d4..874a200f1 100644
--- a/wolfcrypt/src/sha256.c
+++ b/wolfcrypt/src/sha256.c
@@ -2767,17 +2767,17 @@ void wc_Sha256Free(wc_Sha256* sha256)
         close(sha256->rdFd);
         sha256->rdFd = -1; /* avoid possible double close on socket */
     }
-
-    #if defined(WOLFSSL_AFALG_HASH_KEEP)
-    if (sha256->msg != NULL) {
-        XFREE(sha256->msg, sha256->heap, DYNAMIC_TYPE_TMP_BUFFER);
-        sha256->msg = NULL;
-    }
-    #endif
 #endif /* WOLFSSL_AFALG_HASH */
 #ifdef WOLFSSL_DEVCRYPTO_HASH
     wc_DevCryptoFree(&sha256->ctx);
 #endif /* WOLFSSL_DEVCRYPTO */
+#if defined(WOLFSSL_AFALG_HASH_KEEP) || \
+    (defined(WOLFSSL_DEVCRYPTO_HASH) && defined(WOLFSSL_DEVCRYPTO_HASH_KEEP))
+    if (sha256->msg != NULL) {
+        XFREE(sha256->msg, sha256->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        sha256->msg = NULL;
+    }
+#endif
 }
 
 #endif /* !WOLFSSL_TI_HASH */
diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c
index 2154896aa..083c91af4 100644
--- a/wolfcrypt/test/test.c
+++ b/wolfcrypt/test/test.c
@@ -5821,6 +5821,9 @@ static int aes_cbc_test(void)
     byte key[] = "0123456789abcdef   ";  /* align */
     byte iv[]  = "1234567890abcdef   ";  /* align */
 
+    XMEMSET(cipher, 0, AES_BLOCK_SIZE);
+    XMEMSET(plain, 0, AES_BLOCK_SIZE);
+
     /* Parameter Validation testing. */
     ret = wc_AesCbcEncryptWithKey(cipher, msg, AES_BLOCK_SIZE, key, 17, NULL);
     if (ret != BAD_FUNC_ARG)
@@ -5894,6 +5897,7 @@ int aes_test(void)
         return -5403;
 #endif
 
+    XMEMSET(cipher, 0, AES_BLOCK_SIZE * 4);
     ret = wc_AesCbcEncrypt(&enc, cipher, msg, AES_BLOCK_SIZE);
 #if defined(WOLFSSL_ASYNC_CRYPT)
     ret = wc_AsyncWait(ret, &enc.asyncDev, WC_ASYNC_FLAG_NONE);
@@ -5901,6 +5905,7 @@ int aes_test(void)
     if (ret != 0)
         return -5404;
 #ifdef HAVE_AES_DECRYPT
+    XMEMSET(plain, 0, AES_BLOCK_SIZE * 4);
     ret = wc_AesCbcDecrypt(&dec, plain, cipher, AES_BLOCK_SIZE);
 #if defined(WOLFSSL_ASYNC_CRYPT)
     ret = wc_AsyncWait(ret, &dec.asyncDev, WC_ASYNC_FLAG_NONE);
@@ -6445,6 +6450,7 @@ int aes192_test(void)
         return -5503;
 #endif
 
+    XMEMSET(cipher, 0, AES_BLOCK_SIZE);
     ret = wc_AesCbcEncrypt(&enc, cipher, msg, (int) sizeof(msg));
 #if defined(WOLFSSL_ASYNC_CRYPT)
     ret = wc_AsyncWait(ret, &enc.asyncDev, WC_ASYNC_FLAG_NONE);
@@ -6452,6 +6458,7 @@ int aes192_test(void)
     if (ret != 0)
         return -5504;
 #ifdef HAVE_AES_DECRYPT
+    XMEMSET(plain, 0, AES_BLOCK_SIZE);
     ret = wc_AesCbcDecrypt(&dec, plain, cipher, (int) sizeof(cipher));
 #if defined(WOLFSSL_ASYNC_CRYPT)
     ret = wc_AsyncWait(ret, &dec.asyncDev, WC_ASYNC_FLAG_NONE);
@@ -6532,6 +6539,7 @@ int aes256_test(void)
         return -5603;
 #endif
 
+    XMEMSET(cipher, 0, AES_BLOCK_SIZE);
     ret = wc_AesCbcEncrypt(&enc, cipher, msg, (int) sizeof(msg));
 #if defined(WOLFSSL_ASYNC_CRYPT)
     ret = wc_AsyncWait(ret, &enc.asyncDev, WC_ASYNC_FLAG_NONE);
@@ -6539,6 +6547,7 @@ int aes256_test(void)
     if (ret != 0)
         return -5604;
 #ifdef HAVE_AES_DECRYPT
+    XMEMSET(plain, 0, AES_BLOCK_SIZE);
     ret = wc_AesCbcDecrypt(&dec, plain, cipher, (int) sizeof(cipher));
 #if defined(WOLFSSL_ASYNC_CRYPT)
     ret = wc_AsyncWait(ret, &dec.asyncDev, WC_ASYNC_FLAG_NONE);