diff --git a/src/transport/raw/TCP.cpp b/src/transport/raw/TCP.cpp
index cd4571ec145041..f87ffa16219170 100644
--- a/src/transport/raw/TCP.cpp
+++ b/src/transport/raw/TCP.cpp
@@ -347,8 +347,10 @@ CHIP_ERROR TCPBase::ProcessReceivedBuffer(Inet::TCPEndPoint * endPoint, const Pe
 
         if (messageSize == 0)
         {
-            // No payload but considered a valid message. Return success to keep the connection alive.
-            return CHIP_NO_ERROR;
+            // Zero-length messages are not valid Matter messages. Reject to
+            // prevent attackers from holding TCP connection slots indefinitely.
+            ChipLogError(Inet, "Received zero-length TCP message, closing connection.");
+            return CHIP_ERROR_INVALID_MESSAGE_LENGTH;
         }
 
         ReturnErrorOnFailure(ProcessSingleMessage(peerAddress, state, messageSize));
diff --git a/src/transport/raw/tests/TestTCP.cpp b/src/transport/raw/tests/TestTCP.cpp
index dba7f0cd26e116..eac1c6c63d89a1 100644
--- a/src/transport/raw/tests/TestTCP.cpp
+++ b/src/transport/raw/tests/TestTCP.cpp
@@ -696,11 +696,11 @@ TEST_F(TestTCP, CheckProcessReceivedBuffer)
     TestData testData[2];
     gMockTransportMgrDelegate.SetCallback(TestDataCallbackCheck, testData);
 
-    // Test a single packet buffer with zero message size.
+    // Test a single packet buffer with zero message size - should be rejected.
     System::PacketBufferHandle buf = System::PacketBufferHandle::NewWithData(messageSize_TEST, 4);
     ASSERT_NE(&buf, nullptr);
     err = TestAccess::ProcessReceivedBuffer(tcp, lEndPoint, lPeerAddress, std::move(buf));
-    EXPECT_EQ(err, CHIP_NO_ERROR);
+    EXPECT_EQ(err, CHIP_ERROR_INVALID_MESSAGE_LENGTH);
 
     // Test a single packet buffer.
     gMockTransportMgrDelegate.mReceiveHandlerCallCount = 0;