diff --git a/CMakeLists.txt b/CMakeLists.txt
index d21a663..e6a56a6 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -74,3 +74,7 @@ install(FILES include/se050_wireguard.h
 # Install library
 install(TARGETS se050_wireguard
         ARCHIVE DESTINATION lib)
+
+# Note: For embedded platforms (ESP32, u-boot), replace system_rng() with
+# platform-specific RNG (e.g., get_random_bytes() for ESP32)
+# See se050_wireguard.c for details.
diff --git a/src/se050_wireguard.c b/src/se050_wireguard.c
index 5e9cb0e..14e46b3 100644
--- a/src/se050_wireguard.c
+++ b/src/se050_wireguard.c
@@ -22,6 +22,7 @@
 #include "se050_crypto_utils.h"
 #include <string.h>
 #include <stdint.h>
+#include <stdlib.h>
 
 /* =========================================================================
  * WireGuard Protocol Constants
@@ -364,16 +365,23 @@ int se050_wireguard_compute_mac2(se050_wireguard_session_t *session,
         return -1;
     }
     
-    /* Concatenate packet + mac1 */
-    uint8_t data[1024];
-    if (packet_len + WG_MAC1_SIZE > sizeof(data)) {
+    /* Use dynamic allocation for large packets */
+    if (packet_len + WG_MAC1_SIZE > WG_MAX_PACKET_SIZE) {
         return -1;
     }
+    
+    uint8_t *data = malloc(packet_len + WG_MAC1_SIZE);
+    if (!data) {
+        return -1;
+    }
+    
     memcpy(data, packet, packet_len);
     memcpy(data + packet_len, mac1, WG_MAC1_SIZE);
     
     se050_hmac_blake2s(mac2, session->cookie_secret, 32,
                        data, packet_len + WG_MAC1_SIZE);
+    
+    free(data);
     return 0;
 }