diff --git a/ChangeLog.d/fix_int_overflow_x509_extension b/ChangeLog.d/fix_int_overflow_x509_extension
new file mode 100644
index 0000000000..2a679284f8
--- /dev/null
+++ b/ChangeLog.d/fix_int_overflow_x509_extension
@@ -0,0 +1,8 @@
+Security
+   * Fix a failure to validate input when writing x509 extensions lengths which
+     could result in an integer overflow, causing a zero-length buffer to be
+     allocated to hold the extension. The extension would then be copied into
+     the buffer, causing a heap buffer overflow.
+
+
+