diff --git a/ChangeLog.d/fix-pkwrite-buffer-overrun.txt b/ChangeLog.d/fix-pkwrite-buffer-overrun.txt
new file mode 100644
index 0000000000..716b11e932
--- /dev/null
+++ b/ChangeLog.d/fix-pkwrite-buffer-overrun.txt
@@ -0,0 +1,9 @@
+Security
+   * Fix a buffer overflow in mbedtls_pk_write_pubkey(),
+     mbedtls_pk_write_pubkey_der() and mbedtls_pk_write_key_der().
+     With MBEDTLS_USE_PSA_CRYPTO turned on, these functions would
+     write to a location before the start of the output buffer if it was less
+     than the size of the key being written and also less than
+     PK_MAX_EC_PUBLIC_KEY_SIZE (for EC public keys) and
+     PSA_EXPORT_KEY_PAIR_MAX_SIZE (for RSA private keys).
+     This buffer overflow only occurs for keys with the type MBEDTLS_PK_OPAQUE.