diff --git a/wolfcrypt/src/rsa.c b/wolfcrypt/src/rsa.c
index a2dae120f99..587bcdb6d9e 100644
--- a/wolfcrypt/src/rsa.c
+++ b/wolfcrypt/src/rsa.c
@@ -1882,8 +1882,15 @@ static int RsaUnPad_PSS(byte *pkcsBlock, unsigned int pkcsBlockLen,
         return ret;
     }
 
-    tmp[0] &= (byte)((1 << bits) - 1);
-    pkcsBlock[0] &= (byte)((1 << bits) - 1);
+    /* When bits==0 the key size is an exact multiple of 8 and pkcsBlock was
+     * already advanced past the leading 0x00 byte (see above); no masking is
+     * needed.  (1<<0)-1 == 0 would zero both bytes and corrupt the XOR
+     * separator check below.  RsaPad_PSS guards the same step with
+     * "if (hiBits)" for the same reason. */
+    if (bits) {
+        tmp[0] &= (byte)((1 << bits) - 1);
+        pkcsBlock[0] &= (byte)((1 << bits) - 1);
+    }
 #ifdef WOLFSSL_PSS_SALT_LEN_DISCOVER
     if (saltLen == RSA_PSS_SALT_LEN_DISCOVER) {
         for (i = 0; i < maskLen - 1; i++) {