diff --git a/ChangeLog.d/fix-in-cid-buffer-size.txt b/ChangeLog.d/fix-in-cid-buffer-size.txt
new file mode 100644
index 0000000000..c8ede1f1c8
--- /dev/null
+++ b/ChangeLog.d/fix-in-cid-buffer-size.txt
@@ -0,0 +1,15 @@
+Bugfix
+    * Fix potential buffer overflow in DTLS with MBEDTLS_SSL_DTLS_CONNECTION_ID
+      enabled leading to context corruption.
+
+Security
+    * Fix potential memory probe through non-constant time memcmp() in DTLS
+      with MBEDTLS_SSL_DTLS_CONNECTION_ID enabled. The memory probe is possible
+      only under very specific and unlikely conditions:
+      2 * MBEDTLS_SSL_CID_OUT_LEN_MAX < MBEDTLS_SSL_CID_IN_LEN_MAX if
+      MBEDTLS_SSL_CONTEXT_SERIALIZATION is disabled,
+      MBEDTLS_SERVER_HELLO_RANDOM_LEN + MBEDTLS_CLIENT_HELLO_RANDOM_LEN +
+      2 * MBEDTLS_SSL_CID_OUT_LEN_MAX < MBEDTLS_SSL_CID_IN_LEN_MAX if
+      MBEDTLS_SSL_CONTEXT_SERIALIZATION is enabled. Those conditions are not
+      met with the default values of MBEDTLS_SSL_CID_IN_LEN_MAX and
+      MBEDTLS_SSL_CID_OUT_LEN_MAX where the two maximum lengths are equal.