diff --git a/ChangeLog.d/fix-issue-x509-cert_req.txt b/ChangeLog.d/fix-issue-x509-cert_req.txt
new file mode 100644
index 000000000..3a5171b83
--- /dev/null
+++ b/ChangeLog.d/fix-issue-x509-cert_req.txt
@@ -0,0 +1,3 @@
+Bugfix
+   * Fix possible NULL dereference issue in X509 cert_req program if an entry
+     in the san parameter is not separated by a colon.
diff --git a/programs/x509/cert_req.c b/programs/x509/cert_req.c
index 558d8cc73..7e2a6bd8e 100644
--- a/programs/x509/cert_req.c
+++ b/programs/x509/cert_req.c
@@ -261,6 +261,10 @@ usage:
 
                 if ((subtype_value = strchr(q, ':')) != NULL) {
                     *subtype_value++ = '\0';
+                } else {
+                    mbedtls_printf(
+                        "Invalid argument for option SAN: Entry must be of the form TYPE:value\n");
+                    goto usage;
                 }
                 if (strcmp(q, "RFC822") == 0) {
                     cur->node.type = MBEDTLS_X509_SAN_RFC822_NAME;