diff --git a/src/ssl_load.c b/src/ssl_load.c
index 8d85d566e4..81ef7c38e5 100644
--- a/src/ssl_load.c
+++ b/src/ssl_load.c
@@ -5102,6 +5102,22 @@ int wolfSSL_CTX_use_RSAPrivateKey(WOLFSSL_CTX* ctx, WOLFSSL_RSA* rsa)
 
 #ifdef OPENSSL_EXTRA
 
+static char* wolfSSL_getenv_memcpy(const char* varName) {
+    char* ret = NULL;
+    char* env = NULL;
+    int len = 0;
+
+    if ((env = XGETENV(varName)) != NULL) {
+        len = XSTRLEN(env);
+        ret = (char*)XMALLOC(len, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        if (ret != NULL) {
+            XMEMCPY(ret, env, len);
+        }
+    }
+
+    return ret;
+}
+
 /* Use the default paths to look for CA certificate.
  *
  * This is an OpenSSL compatibility layer function, but it doesn't mirror
@@ -5121,9 +5137,9 @@ int wolfSSL_CTX_set_default_verify_paths(WOLFSSL_CTX* ctx)
 {
     int ret;
 #ifdef XGETENV
-    char* certDir;
-    char* certFile;
-    word32 flags;
+    char* certDir = NULL;
+    char* certFile = NULL;
+    word32 flags = 0;
 #elif !defined(WOLFSSL_SYS_CA_CERTS)
     (void)ctx;
 #endif
@@ -5131,8 +5147,8 @@ int wolfSSL_CTX_set_default_verify_paths(WOLFSSL_CTX* ctx)
     WOLFSSL_ENTER("wolfSSL_CTX_set_default_verify_paths");
 
 #ifdef XGETENV
-    certDir = XGETENV("SSL_CERT_DIR");
-    certFile = XGETENV("SSL_CERT_FILE");
+    certDir = wolfSSL_getenv_memcpy("SSL_CERT_DIR");
+    certFile = wolfSSL_getenv_memcpy("SSL_CERT_FILE");
     flags = WOLFSSL_LOAD_FLAG_PEM_CA_ONLY;
 
     if ((certDir != NULL) || (certFile != NULL)) {
@@ -5178,6 +5194,14 @@ int wolfSSL_CTX_set_default_verify_paths(WOLFSSL_CTX* ctx)
     #endif
     }
 
+#ifdef XGETENV
+    if (certFile != NULL) {
+        XFREE(certFile, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+    if (certDir != NULL) {
+        XFREE(certDir, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
     WOLFSSL_LEAVE("wolfSSL_CTX_set_default_verify_paths", ret);
 
     return ret;