diff --git a/ChangeLog.d/xxx_psa_peerkey.txt b/ChangeLog.d/xxx_psa_peerkey.txt
new file mode 100644
index 0000000000..1ba1510000
--- /dev/null
+++ b/ChangeLog.d/xxx_psa_peerkey.txt
@@ -0,0 +1,6 @@
+Security
+   * Fix a remotely exploitable heap buffer overflow in TLS handshake parsing.
+     In TLS 1.3, all configurations are affected except PSK-only ones.
+     In TLS 1.2, the affected configurations are those with
+     MBEDTLS_USE_PSA_CRYPTO and ECDH enabled but DHM and RSA disabled.
+     Credit to OSS-Fuzz.