diff --git a/ChangeLog.d/fix-overread-in-tls13-debug.txt b/ChangeLog.d/fix-overread-in-tls13-debug.txt
new file mode 100644
index 000000000..e089ce161
--- /dev/null
+++ b/ChangeLog.d/fix-overread-in-tls13-debug.txt
@@ -0,0 +1,3 @@
+Security
+   * Fix a potential heap buffer overread in TLS 1.3 client-side when
+     MBEDTLS_DEBUG_C is enabled. This may result in an application crash.