diff --git a/ChangeLog.d/fix-ccm-finish.txt b/ChangeLog.d/fix-ccm-finish.txt
new file mode 100644
index 0000000000..7bf5841612
--- /dev/null
+++ b/ChangeLog.d/fix-ccm-finish.txt
@@ -0,0 +1,3 @@
+Bugfix
+   * Add tag length validation in mbedtls_ccm_finish() to reject lengths
+     that are invalid or differ from the negotiated tag length.