diff --git a/src/Attestation/AuthenticatorData.php b/src/Attestation/AuthenticatorData.php
index 83462b1..e0aa506 100644
--- a/src/Attestation/AuthenticatorData.php
+++ b/src/Attestation/AuthenticatorData.php
@@ -345,6 +345,10 @@ private function _readCredentialPublicKey($binary, $offset, &$endOffset) {
      */
     private function _readCredentialPublicKeyEDDSA(&$credPKey, $enc) {
         $credPKey->crv = $enc[self::$_COSE_CRV];
+
+        if (!isset($enc[self::$_COSE_X])) {
+            throw new WebAuthnException('public key missing', WebAuthnException::MISSING_PUBLIC_KEY);
+        }
         $credPKey->x   = $enc[self::$_COSE_X] instanceof ByteBuffer ? $enc[self::$_COSE_X]->getBinaryString() : null;
         unset ($enc);
 
diff --git a/src/WebAuthnException.php b/src/WebAuthnException.php
index f27eeec..f6b07de 100644
--- a/src/WebAuthnException.php
+++ b/src/WebAuthnException.php
@@ -21,6 +21,7 @@ class WebAuthnException extends \Exception {
     const BYTEBUFFER = 14;
     const CBOR = 15;
     const ANDROID_NOT_TRUSTED = 16;
+    const MISSING_PUBLIC_KEY = 17;
 
     public function __construct($message = "", $code = 0, $previous = null) {
         parent::__construct($message, $code, $previous);