diff --git a/src/internal.c b/src/internal.c
index b62680847..4330c4920 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -13611,6 +13611,10 @@ static WC_INLINE int VerifyMacEnc(WOLFSSL* ssl, const byte* input, word32 msgSz,
 
     WOLFSSL_MSG("Verify MAC of Encrypted Data");
 
+    if (msgSz < digestSz) {
+        return VERIFY_MAC_ERROR;
+    }
+
     ret  = ssl->hmac(ssl, verify, input, msgSz - digestSz, -1, content, 1);
     ret |= ConstantCompare(verify, input + msgSz - digestSz, digestSz);
     if (ret != 0) {