diff --git a/ChangeLog.d/check-config.txt b/ChangeLog.d/check-config.txt
index 86723e090..8570a1175 100644
--- a/ChangeLog.d/check-config.txt
+++ b/ChangeLog.d/check-config.txt
@@ -1,5 +1,8 @@
 Changes
-   * Explicitly state that mbedtls/check_config.h must not be included manually.
+   * Warn if mbedtls/check_config.h is included manually, as this can
+     lead to spurious errors. Error if a *adjust*.h header is included
+     manually, as this can lead to silently inconsistent configurations,
+     potentially resulting in buffer overflows.
      When migrating from Mbed TLS 2.x, if you had a custom config.h that
      included check_config.h, remove this inclusion from the Mbed TLS 3.x
      configuration file (renamed to mbedtls_config.h). This change was made