diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c
index 40751e457..0aebd3bab 100644
--- a/wolfcrypt/src/aes.c
+++ b/wolfcrypt/src/aes.c
@@ -2676,6 +2676,24 @@ static WARN_UNUSED_RESULT int wc_AesDecrypt(
             return BAD_FUNC_ARG;
         }
 
+    #if !defined(WOLFSSL_AES_128)
+        if (keylen == 16) {
+            return BAD_FUNC_ARG;
+        }
+    #endif
+
+    #if !defined(WOLFSSL_AES_192)
+        if (keylen == 24) {
+            return BAD_FUNC_ARG;
+        }
+    #endif
+
+    #if !defined(WOLFSSL_AES_256)
+        if (keylen == 32) {
+            return BAD_FUNC_ARG;
+        }
+    #endif
+
         aes->keylen = keylen;
         aes->rounds = keylen/4 + 6;
 
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index 440976c0b..7d60e5bb0 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -19063,7 +19063,7 @@ exit:
         #endif
                ) {
             ASNGetData dataASN[policyInfoASN_Length];
-            byte* data;
+            byte* data = NULL;
             word32 length = 0;
 
             /* Clear dynamic data and check OID is a cert policy type. */
@@ -20186,7 +20186,7 @@ static int DecodeCertInternal(DecodedCert* cert, int verify, int* criticalExt,
         /* Check parameters starting with a SEQUENCE. */
         else if (dataASN[X509CERTASN_IDX_SIGALGO_PARAMS].tag != 0) {
             word32 oid = dataASN[X509CERTASN_IDX_SIGALGO_OID].data.oid.sum;
-            word32 sigAlgParamsSz;
+            word32 sigAlgParamsSz = 0;
 
             /* Parameters only with RSA PSS. */
             if (oid != CTC_RSASSAPSS) {
@@ -29291,9 +29291,9 @@ static int MakeCertReq(Cert* cert, byte* derBuffer, word32 derSz,
     return ret;
 #else
     DECL_ASNSETDATA(dataASN, certReqBodyASN_Length);
-    word32 publicKeySz;
+    word32 publicKeySz = 0;
     word32 subjectSz = 0;
-    word32 extSz;
+    word32 extSz = 0;
     int sz = 0;
     int ret = 0;
 #if defined(WOLFSSL_CERT_EXT) || defined(OPENSSL_EXTRA)
diff --git a/wolfcrypt/src/cmac.c b/wolfcrypt/src/cmac.c
index 24ddcc635..db0906c99 100644
--- a/wolfcrypt/src/cmac.c
+++ b/wolfcrypt/src/cmac.c
@@ -216,6 +216,7 @@ int wc_CmacFinal(Cmac* cmac, byte* out, word32* outSz)
 {
     int ret;
     const byte* subKey;
+    word32 remainder;
 
     if (cmac == NULL || out == NULL || outSz == NULL) {
         return BAD_FUNC_ARG;
@@ -237,7 +238,11 @@ int wc_CmacFinal(Cmac* cmac, byte* out, word32* outSz)
         subKey = cmac->k1;
     }
     else {
-        word32 remainder = AES_BLOCK_SIZE - cmac->bufferSz;
+        /* ensure we will have a valid remainder value */
+        if (cmac->bufferSz > AES_BLOCK_SIZE) {
+            return BAD_STATE_E;
+        }
+        remainder = AES_BLOCK_SIZE - cmac->bufferSz;
 
         if (remainder == 0) {
             remainder = AES_BLOCK_SIZE;
@@ -245,6 +250,7 @@ int wc_CmacFinal(Cmac* cmac, byte* out, word32* outSz)
         if (remainder > 1) {
             XMEMSET(cmac->buffer + AES_BLOCK_SIZE - remainder, 0, remainder);
         }
+
         cmac->buffer[AES_BLOCK_SIZE - remainder] = 0x80;
         subKey = cmac->k2;
     }
diff --git a/wolfcrypt/src/ed25519.c b/wolfcrypt/src/ed25519.c
index 5dee270fa..3b9988bc3 100644
--- a/wolfcrypt/src/ed25519.c
+++ b/wolfcrypt/src/ed25519.c
@@ -53,17 +53,29 @@
 #endif
 
 #if defined(HAVE_ED25519_SIGN) || defined(HAVE_ED25519_VERIFY)
-#define ED25519CTX_SIZE    32
+    /* Set a static message string for "Sig No Collisions Message SNC".
+    ** Note this is a static string per spec, see:
+    ** https://datatracker.ietf.org/doc/rfc8032/
+    */
+    #define ED25519CTX_SNC_MESSAGE "SigEd25519 no Ed25519 collisions"
+    #define ED25519CTX_SIZE 32 /* 32 chars: fixed length of SNC Message. */
 
-static const byte ed25519Ctx[ED25519CTX_SIZE+1] =
-                                             "SigEd25519 no Ed25519 collisions";
+    /* The 32 bytes of ED25519CTX_SIZE is used elsewhere, but we need one
+    ** more char for saving the line ending in our ed25519Ctx[] here: */
+    static const byte ed25519Ctx[ED25519CTX_SIZE + 1] = ED25519CTX_SNC_MESSAGE;
 #endif
 
 static int ed25519_hash_init(ed25519_key* key, wc_Sha512 *sha)
 {
     int ret;
 
+#ifndef WOLFSSL_ED25519_PERSISTENT_SHA
+    /* when not using persistent SHA, we'll zero the sha param */
+    XMEMSET(sha, 0, sizeof(wc_Sha512));
+#endif
+
     ret = wc_InitSha512_ex(sha, key->heap,
+
 #if defined(WOLF_CRYPTO_CB)
                            key->devId
 #else
@@ -334,8 +346,9 @@ int wc_ed25519_sign_msg_ex(const byte* in, word32 inLen, byte* out,
 #else
         wc_Sha512 sha[1];
         ret = ed25519_hash_init(key, sha);
-        if (ret < 0)
+        if (ret < 0) {
             return ret;
+        }
 #endif
 
         if (type == Ed25519ctx || type == Ed25519ph) {
@@ -386,6 +399,7 @@ int wc_ed25519_sign_msg_ex(const byte* in, word32 inLen, byte* out,
         wc_Sha512 *sha = &key->sha;
 #else
         wc_Sha512 sha[1];
+
         ret = ed25519_hash_init(key, sha);
         if (ret < 0)
             return ret;
@@ -765,9 +779,10 @@ int wc_ed25519_verify_msg_ex(const byte* sig, word32 sigLen, const byte* msg,
     sha = &key->sha;
 #else
     ret = ed25519_hash_init(key, sha);
-    if (ret < 0)
+    if (ret < 0) {
         return ret;
-#endif
+    }
+#endif /* WOLFSSL_ED25519_PERSISTENT_SHA */
 
     ret = ed25519_verify_msg_init_with_sha(sig, sigLen, key, sha, type, context,
         contextLen);
@@ -871,7 +886,9 @@ int wc_ed25519_init_ex(ed25519_key* key, void* heap, int devId)
     if (key == NULL)
         return BAD_FUNC_ARG;
 
+    /* for init, ensure the key is zeroed*/
     XMEMSET(key, 0, sizeof(ed25519_key));
+
 #ifdef WOLF_CRYPTO_CB
     key->devId = devId;
 #else
diff --git a/wolfcrypt/src/md5.c b/wolfcrypt/src/md5.c
index b84ac5d52..66296108e 100644
--- a/wolfcrypt/src/md5.c
+++ b/wolfcrypt/src/md5.c
@@ -450,7 +450,12 @@ int wc_Md5Final(wc_Md5* md5, byte* hash)
     }
 #endif /* WOLFSSL_ASYNC_CRYPT */
 
-    local = (byte*)md5->buffer;
+    local = (byte*)md5->buffer; /* buffer allocated in word32 size */
+
+    /* ensure we have a valid buffer length; (-1 to append a byte to length) */
+    if (md5->buffLen > WC_MD5_BLOCK_SIZE - 1) {
+        return BUFFER_E;
+    }
 
     local[md5->buffLen++] = 0x80;  /* add 1 */
 
diff --git a/wolfcrypt/src/random.c b/wolfcrypt/src/random.c
index f25039b5f..e445251d1 100644
--- a/wolfcrypt/src/random.c
+++ b/wolfcrypt/src/random.c
@@ -36,6 +36,9 @@ This library contains implementation for the random number generator.
    http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=KRNG11I
 
 */
+#if defined(ESP_IDF_VERSION_MAJOR) && ESP_IDF_VERSION_MAJOR >= 5
+    #include <esp_random.h>
+#endif
 
 #if defined(HAVE_FIPS) && \
     defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
diff --git a/wolfcrypt/src/ripemd.c b/wolfcrypt/src/ripemd.c
index 1fedf67f8..9402c70be 100644
--- a/wolfcrypt/src/ripemd.c
+++ b/wolfcrypt/src/ripemd.c
@@ -324,6 +324,12 @@ int wc_RipeMdFinal(RipeMd* ripemd, byte* hash)
 
     AddLength(ripemd, ripemd->buffLen);               /* before adding pads */
 
+    /* ensure we have a valid buffer length; */
+    if (ripemd->buffLen > RIPEMD_BLOCK_SIZE) {
+        /* exit with error code if there's a bad buffer size in buffLen */
+        return BAD_STATE_E;
+    } /* buffLen check */
+
     local[ripemd->buffLen++] = 0x80;  /* add 1 */
 
     /* pad with zeros */