diff --git a/src/hsm/cmd_cipher_sym.c b/src/hsm/cmd_cipher_sym.c
index 1c85c92..bcd714f 100644
--- a/src/hsm/cmd_cipher_sym.c
+++ b/src/hsm/cmd_cipher_sym.c
@@ -664,6 +664,7 @@ int cmd_cipher_sym() {
                     secret[64] = { 0 };
             mbedtls_aes_init(&ctx);
             if (hd_keytype != 0x3) {
+                mbedtls_ecdsa_free(&hd_context);
                 return SW_INCORRECT_PARAMS();
             }
             key_size = 32;
diff --git a/src/hsm/cmd_signature.c b/src/hsm/cmd_signature.c
index 0ba2dc7..fc9bf40 100644
--- a/src/hsm/cmd_signature.c
+++ b/src/hsm/cmd_signature.c
@@ -284,11 +284,13 @@ int cmd_signature() {
     }
     else if (p2 == ALGO_HD) {
         size_t olen = 0;
-        uint8_t buf[MBEDTLS_ECDSA_MAX_LEN];
+        uint8_t buf[MBEDTLS_ECDSA_MAX_LEN] = {0};
         if (hd_context.grp.id == MBEDTLS_ECP_DP_NONE) {
+            mbedtls_ecdsa_free(&hd_context);
             return SW_CONDITIONS_NOT_SATISFIED();
         }
         if (hd_keytype != 0x1 && hd_keytype != 0x2) {
+            mbedtls_ecdsa_free(&hd_context);
             return SW_INCORRECT_PARAMS();
         }
         md = MBEDTLS_MD_SHA256;