diff --git a/ChangeLog.d/buf-overread-use-psa-static-ecdh.txt b/ChangeLog.d/buf-overread-use-psa-static-ecdh.txt
new file mode 100644
index 0000000000..023c730821
--- /dev/null
+++ b/ChangeLog.d/buf-overread-use-psa-static-ecdh.txt
@@ -0,0 +1,6 @@
+Security
+   * Fix a potential heap buffer overread in TLS 1.2 server-side when
+     MBEDTLS_USE_PSA_CRYPTO is enabled, an opaque key (created with
+     mbedtls_pk_setup_opaque()) is provisioned, and a static ECDH ciphersuite
+     is selected. This may result in an application crash. No path to
+     information leak has been identified.
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 1733ec931f..a912ce1415 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -3239,15 +3239,18 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
 static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
 {
     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_pk_context *own_key = mbedtls_ssl_own_key( ssl );
 
-    if( ! mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECKEY ) )
+    /* We want to call mbedtls_pk_ec(), which only works on those types. */
+    if( mbedtls_pk_get_type( own_key ) != MBEDTLS_PK_ECKEY &&
+        mbedtls_pk_get_type( own_key ) != MBEDTLS_PK_ECKEY_DH )
     {
         MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
         return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
     }
 
     if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx,
-                                 mbedtls_pk_ec( *mbedtls_ssl_own_key( ssl ) ),
+                                 mbedtls_pk_ec( *own_key ),
                                  MBEDTLS_ECDH_OURS ) ) != 0 )
     {
         MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret );