diff --git a/lib/luks2/hw_opal/hw_opal.c b/lib/luks2/hw_opal/hw_opal.c
index ebdad1fa..aac065a0 100644
--- a/lib/luks2/hw_opal/hw_opal.c
+++ b/lib/luks2/hw_opal/hw_opal.c
@@ -471,6 +471,8 @@ int opal_setup_ranges(struct crypt_device *cd,
 		}
 	}
 
+	crypt_safe_free(user_session);
+
 	user_session = crypt_safe_alloc(sizeof(struct opal_session_info));
 	if (!user_session) {
 		r = -ENOMEM;
diff --git a/src/cryptsetup.c b/src/cryptsetup.c
index 6d2a0dc3..44003eba 100644
--- a/src/cryptsetup.c
+++ b/src/cryptsetup.c
@@ -2896,14 +2896,15 @@ static int opal_erase(struct crypt_device *cd, bool factory_reset) {
 	if (factory_reset && !ARG_SET(OPT_BATCH_MODE_ID) &&
 		!yesDialog(_("WARNING: WHOLE disk will be factory reset and all data will be lost! Continue?"),
 			_("Operation aborted.\n"))) {
+		crypt_safe_free(password);
 		return -EPERM;
 	}
 
-	return crypt_wipe_hw_opal(cd,
-			factory_reset ? CRYPT_NO_SEGMENT : CRYPT_LUKS2_SEGMENT,
-			password,
-			password_size,
-			0);
+	r = crypt_wipe_hw_opal(cd, factory_reset ? CRYPT_NO_SEGMENT : CRYPT_LUKS2_SEGMENT,
+			       password, password_size, 0);
+
+	crypt_safe_free(password);
+	return r;
 }
 
 static int action_luksErase(void)