diff --git a/src/tls.c b/src/tls.c
index e065c7659..d6b8815d2 100644
--- a/src/tls.c
+++ b/src/tls.c
@@ -8131,13 +8131,17 @@ int TLSX_KeyShare_Establish(WOLFSSL *ssl)
         if (!TLSX_SupportedGroups_Find(ssl, clientKSE->group))
             return BAD_KEY_SHARE_DATA;
 
-    #ifdef OPENSSL_EXTRA
         if ((clientKSE->group & NAMED_DH_MASK) == 0) {
-            /* Check if server supports group. */
-            if (ssl->ctx->disabledCurves & (1 << clientKSE->group))
+            /* Check max value supported. */
+            if (clientKSE->group > WOLFSSL_ECC_MAX) {
                 continue;
+            }
+        #ifdef OPENSSL_EXTRA
+            /* Check if server supports group. */
+            if (ssl->ctx->disabledCurves & ((word32)1 << clientKSE->group))
+                continue;
+        #endif
         }
-    #endif
         if (!TLSX_KeyShare_IsSupported(clientKSE->group))
             continue;
 
diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h
index c9b441b5a..5522c7d61 100644
--- a/wolfssl/ssl.h
+++ b/wolfssl/ssl.h
@@ -3032,6 +3032,7 @@ enum {
     WOLFSSL_ECC_BRAINPOOLP512R1 = 28,
     WOLFSSL_ECC_X25519    = 29,
     WOLFSSL_ECC_X448      = 30,
+    WOLFSSL_ECC_MAX       = 30,
 
     WOLFSSL_FFDHE_2048    = 256,
     WOLFSSL_FFDHE_3072    = 257,