diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c
index a4091890fd..e7474d0c69 100644
--- a/wolfcrypt/src/pkcs7.c
+++ b/wolfcrypt/src/pkcs7.c
@@ -15319,8 +15319,12 @@ int wc_PKCS7_DecodeAuthEnvelopedData(wc_PKCS7* pkcs7, byte* in,
                     encryptedContent, encryptedContentSz, encryptedContent,
                     pkcs7->devId, pkcs7->heap);
             if (ret != 0) {
-                XFREE(encryptedContent, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
-                return ret;
+                /* Fall through to the shared error handler below, which
+                 * ForceZeros and frees encryptedContent, nulls
+                 * stream->bufferPt/key, and resets the stream. Returning
+                 * here would leave a dangling stream->bufferPt and risk a
+                 * use-after-free / double-free on streaming re-entry. */
+                break;
             }
 
             if (encodedAttribs != NULL) {