diff --git a/src/ReverseProxy/Utilities/TlsFrameHelper.cs b/src/ReverseProxy/Utilities/TlsFrameHelper.cs
index dbb54ae3e9..fbdbd46bab 100644
--- a/src/ReverseProxy/Utilities/TlsFrameHelper.cs
+++ b/src/ReverseProxy/Utilities/TlsFrameHelper.cs
@@ -504,6 +504,11 @@ private static bool TryParseClientHello(ReadOnlySpan<byte> clientHello, ref TlsF
             return true;
         }
 
+        if (p.Length < sizeof(ushort))
+        {
+            return false;
+        }
+
         // client_hello_extension_list (max size 2^16-1 => size fits in 2 bytes)
         int extensionListLength = BinaryPrimitives.ReadUInt16BigEndian(p);
         p = SkipBytes(p, sizeof(ushort));
@@ -542,6 +547,11 @@ private static bool TryParseServerHello(ReadOnlySpan<byte> serverHello, ref TlsF
             return false;
         }
 
+        if (p.Length < sizeof(ushort))
+        {
+            return false;
+        }
+
         // client_hello_extension_list (max size 2^16-1 => size fits in 2 bytes)
         int extensionListLength = BinaryPrimitives.ReadUInt16BigEndian(p);
         p = SkipBytes(p, sizeof(ushort));
@@ -675,6 +685,12 @@ private static bool TryGetSniFromServerNameList(ReadOnlySpan<byte> serverNameLis
         const int HostNameLengthOffset = 0;
         const int HostNameOffset = HostNameLengthOffset + sizeof(ushort);
 
+        if (hostNameStruct.Length < HostNameOffset)
+        {
+            invalid = true;
+            return null;
+        }
+
         int hostNameLength = BinaryPrimitives.ReadUInt16BigEndian(hostNameStruct);
         var hostName = hostNameStruct.Slice(HostNameOffset);
         if (hostNameLength != hostName.Length)
@@ -704,6 +720,11 @@ private static bool TryGetSupportedVersionsFromExtension(ReadOnlySpan<byte> exte
 
         protocols = SslProtocols.None;
 
+        if (extensionData.IsEmpty)
+        {
+            return false;
+        }
+
         var supportedVersionLength = extensionData[VersionListLengthOffset];
         extensionData = extensionData.Slice(VersionListNameOffset);