diff --git a/docs/CHANGES b/docs/CHANGES
index 4b525558e..99c9d481c 100644
--- a/docs/CHANGES
+++ b/docs/CHANGES
@@ -5,6 +5,11 @@ CHANGES BETWEEN 2.9 and 2.9.1
     - Type  1  fonts  containing   flex  features  were  not  rendered
       correctly (bug introduced in version 2.9).
 
+    - CVE-2018-6942: Older FreeType versions can crash with certain
+      malformed variation fonts.
+
+        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6942
+
 
   II. MISCELLANEOUS