diff --git a/ChangeLog.d/add-aes-hardware-only-option.txt b/ChangeLog.d/add-aes-hardware-only-option.txt
new file mode 100644
index 000000000..69db58ece
--- /dev/null
+++ b/ChangeLog.d/add-aes-hardware-only-option.txt
@@ -0,0 +1,6 @@
+Features
+   * New configuration option MBEDTLS_AES_USE_HARDWARE_ONLY introduced. When using
+     CPU-accelerated AES (e.g., Arm Crypto Extensions), this option disables
+     the plain C implementation and the run-time detection for the CPU feature,
+     which reduces code size and avoid the vulnerability of the plain C
+     implementation.