diff --git a/CHANGES b/CHANGES
index 031208f2ff..3ae10f17e2 100644
--- a/CHANGES
+++ b/CHANGES
@@ -29,7 +29,9 @@
 			predecessor key that does not need to be refreshed.
 			[GL #1551]
 
-5689.	[placeholder]
+5689.	[security]	An assertion failure occurred when rate-limiting
+			was applied to a UDP packet exceeding the link MTU
+			size. (CVE-2021-25218) [GL #2839]
 
 5688.	[bug]		Inline and dnssec-policy zones could fail to apply
 			changes from the unsigned zone to the signed zone
diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index e17d4ebb8c..38ae038400 100644
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -20,6 +20,10 @@ Security Fixes
   the opcode of those responses and rejecting the messages if they don't
   match the expected value. :gl:`#2762`
 
+- Fix an assertion failure that occured in ``named`` when attempting to send
+  a UDP packet exceeding the MTU size if rate-limiting was enabled.
+  (CVE-2021-25218) :gl:`#2839`
+
 Known Issues
 ~~~~~~~~~~~~