diff --git a/impl/src/main/java/com/sun/faces/util/ByteArrayGuardAESCTR.java b/impl/src/main/java/com/sun/faces/util/ByteArrayGuardAESCTR.java
index f7a7d966cc..6d72da2899 100644
--- a/impl/src/main/java/com/sun/faces/util/ByteArrayGuardAESCTR.java
+++ b/impl/src/main/java/com/sun/faces/util/ByteArrayGuardAESCTR.java
@@ -130,6 +130,11 @@ public String decrypt(String value) throws InvalidKeyException {
         
         try {
             byte[] iv = new byte[16];
+
+            if (bytes.length < iv.length) {
+                throw new InvalidKeyException("Invalid characters in decrypted value");
+            }
+
             System.arraycopy(bytes, 0, iv, 0, iv.length);
             IvParameterSpec ivspec = new IvParameterSpec(iv);
 
diff --git a/impl/src/test/java/com/sun/faces/util/ByteArrayGuardAESCTRTest.java b/impl/src/test/java/com/sun/faces/util/ByteArrayGuardAESCTRTest.java
index d16d0da386..935338557b 100644
--- a/impl/src/test/java/com/sun/faces/util/ByteArrayGuardAESCTRTest.java
+++ b/impl/src/test/java/com/sun/faces/util/ByteArrayGuardAESCTRTest.java
@@ -16,10 +16,12 @@
 
 package com.sun.faces.util;
 
+import java.security.InvalidKeyException;
+import javax.xml.bind.DatatypeConverter;
 import org.junit.Test;
 
-import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
 
 
 public class ByteArrayGuardAESCTRTest {
@@ -39,5 +41,16 @@ public void testSmallerSizeBytes() throws Exception {
         
     }
     
+    @Test(expected = InvalidKeyException.class)
+    public void testDecryptValueWithoutIvBytes() throws InvalidKeyException {
+        ByteArrayGuardAESCTR sut = new ByteArrayGuardAESCTR();
+        
+        String value = "noIV";
+        byte[] bytes = DatatypeConverter.parseBase64Binary(value);
+        assertTrue(bytes.length < 16);
+
+        sut.decrypt(value);
+    }
+
 }