diff --git a/ChangeLog.d/x509-subaltname-ext b/ChangeLog.d/x509-subaltname-ext
new file mode 100644
index 000000000..7845f181a
--- /dev/null
+++ b/ChangeLog.d/x509-subaltname-ext
@@ -0,0 +1,5 @@
+Bugfix
+   * Fix parsing of X.509 SubjectAlternativeName extension. Previously,
+     malformed alternative name components were not caught during initial
+     certificate parsing, but only on subsequent calls to
+     mbedtls_x509_parse_subject_alt_name(). Fixes #2838.