diff --git a/src/ctap/apdu.rs b/src/ctap/apdu.rs
index 14926ba..c99bf84 100644
--- a/src/ctap/apdu.rs
+++ b/src/ctap/apdu.rs
@@ -179,6 +179,9 @@ impl TryFrom<&[u8]> for APDU {
                 .len()
                 .checked_sub(extended_apdu_lc + 3)
                 .ok_or(ApduStatusCode::SW_WRONG_LENGTH)?;
+            if extended_apdu_le_len > 3 {
+                return Err(ApduStatusCode::SW_WRONG_LENGTH);
+            }
 
             if byte_0 == 0 && extended_apdu_le_len <= 3 {
                 // If first byte is zero AND the next two bytes can be parsed as a big-endian
diff --git a/src/ctap/ctap1.rs b/src/ctap/ctap1.rs
index cc15fa0..0932e2c 100644
--- a/src/ctap/ctap1.rs
+++ b/src/ctap/ctap1.rs
@@ -542,7 +542,7 @@ mod test {
 
         message.push(0x00);
         let response = Ctap1Command::process_command(&message, &mut ctap_state, START_CLOCK_VALUE);
-        assert_eq!(response, Err(Ctap1StatusCode::SW_INTERNAL_EXCEPTION));
+        assert_eq!(response, Err(Ctap1StatusCode::SW_WRONG_LENGTH));
     }
 
     #[test]