diff --git a/ChangeLog.d/8799.txt b/ChangeLog.d/8799.txt
new file mode 100644
index 000000000..b44bb9991
--- /dev/null
+++ b/ChangeLog.d/8799.txt
@@ -0,0 +1,4 @@
+Bugfix
+   * mbedtls_pem_read_buffer() now performs a check on the padding data of
+     decrypted keys and it rejects invalid ones. It also parses and validates
+     the main ASN.1 SEQUENCE header.