diff --git a/ChangeLog.d/fix-possible-false-success-in-mbedtls_cipher_check_tag.txt b/ChangeLog.d/fix-possible-false-success-in-mbedtls_cipher_check_tag.txt
new file mode 100644
index 000000000..01492438a
--- /dev/null
+++ b/ChangeLog.d/fix-possible-false-success-in-mbedtls_cipher_check_tag.txt
@@ -0,0 +1,4 @@
+Changes
+   * Calling AEAD tag-specific functions for non-AEAD algorithms (which should not
+     be done - they are documented for use only by AES-GCM and ChaCha20+Poly1305)
+     now returns MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE instead of success (0).