diff --git a/ChangeLog.d/cookie_parsing_bug.txt b/ChangeLog.d/cookie_parsing_bug.txt
new file mode 100644
index 0000000000..a5f5875d3d
--- /dev/null
+++ b/ChangeLog.d/cookie_parsing_bug.txt
@@ -0,0 +1,11 @@
+Security
+   * Fix a buffer overread in DTLS ClientHello parsing in servers with
+     MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE enabled. An unauthenticated client
+     or a man-in-the-middle could cause a DTLS server to read up to 255 bytes
+     after the end of the SSL input buffer. The buffer overread only happens
+     when MBEDTLS_SSL_IN_CONTENT_LEN is less than a threshold that depends on
+     the exact configuration: 258 bytes if using mbedtls_ssl_cookie_check(),
+     and possibly up to 571 bytes with a custom cookie check function.
+     If the function provider deliberately omits these size checks, he/she
+     is responsible for the negative impact on his/her code.
+     Reported by the Cybeats PSI Team.