diff --git a/ChangeLog b/ChangeLog
index 951c1340f1..4b4cd3aea8 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -16,6 +16,8 @@ Security
      plaintexts and forge RSA signatures. Other asymmetric algorithms may
      have been similarly vulnerable. Reported by Eyal Ronen, Robert Gillham,
      Daniel Genkin, Adi Shamir, David Wong and Yuval Yarom.
+   * Wipe sensitive buffers on the stack in the CTR_DRBG and HMAC_DRBG
+     modules.
 
 = mbed TLS 2.1.16 branch released 2018-11-19
 
diff --git a/library/ctr_drbg.c b/library/ctr_drbg.c
index e8fdd9b6cb..d3888483a3 100644
--- a/library/ctr_drbg.c
+++ b/library/ctr_drbg.c
@@ -226,6 +226,10 @@ static int block_cipher_df( unsigned char *output,
 
     mbedtls_aes_free( &aes_ctx );
 
+    mbedtls_zeroize( buf, sizeof( buf ) );
+    mbedtls_zeroize( tmp, sizeof( tmp ) );
+    mbedtls_zeroize( key, sizeof( key ) );
+    mbedtls_zeroize( chain, sizeof( chain ) );
     return( 0 );
 }
 
@@ -264,6 +268,7 @@ static int ctr_drbg_update_internal( mbedtls_ctr_drbg_context *ctx,
     mbedtls_aes_setkey_enc( &ctx->aes_ctx, tmp, MBEDTLS_CTR_DRBG_KEYBITS );
     memcpy( ctx->counter, tmp + MBEDTLS_CTR_DRBG_KEYSIZE, MBEDTLS_CTR_DRBG_BLOCKSIZE );
 
+    mbedtls_zeroize( tmp, sizeof( tmp ) );
     return( 0 );
 }
 
@@ -281,6 +286,7 @@ void mbedtls_ctr_drbg_update( mbedtls_ctr_drbg_context *ctx,
 
         block_cipher_df( add_input, additional, add_len );
         ctr_drbg_update_internal( ctx, add_input );
+        mbedtls_zeroize( add_input, sizeof( add_input ) );
     }
 }
 
@@ -327,6 +333,7 @@ int mbedtls_ctr_drbg_reseed( mbedtls_ctr_drbg_context *ctx,
     ctr_drbg_update_internal( ctx, seed );
     ctx->reseed_counter = 1;
 
+    mbedtls_zeroize( seed, sizeof( seed ) );
     return( 0 );
 }
 
@@ -393,6 +400,8 @@ int mbedtls_ctr_drbg_random_with_add( void *p_rng,
 
     ctx->reseed_counter++;
 
+    mbedtls_zeroize( add_input, sizeof( add_input ) );
+    mbedtls_zeroize( tmp, sizeof( tmp ) );
     return( 0 );
 }
 
diff --git a/library/hmac_drbg.c b/library/hmac_drbg.c
index 24c609e9ce..40e2b0ad6a 100644
--- a/library/hmac_drbg.c
+++ b/library/hmac_drbg.c
@@ -93,6 +93,8 @@ void mbedtls_hmac_drbg_update( mbedtls_hmac_drbg_context *ctx,
         mbedtls_md_hmac_update( &ctx->md_ctx, ctx->V, md_len );
         mbedtls_md_hmac_finish( &ctx->md_ctx, ctx->V );
     }
+
+    mbedtls_zeroize( K, sizeof( K ) );
 }
 
 /*
@@ -158,6 +160,7 @@ int mbedtls_hmac_drbg_reseed( mbedtls_hmac_drbg_context *ctx,
     ctx->reseed_counter = 1;
 
     /* 4. Done */
+    mbedtls_zeroize( seed, seedlen );
     return( 0 );
 }