diff --git a/debian/changelog b/debian/changelog
index 4e0d90d71..755f4a19b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+grub2 (2.06-4) UNRELEASED; urgency=medium
+
+  [ Steve McIntyre ]
+  * Updated the 2.06-3 changelog to mention closure of CVE-2022-28736
+
+ -- Steve McIntyre <93sam@debian.org>  Sat, 30 Jul 2022 15:23:26 +0100
+
 grub2 (2.06-3) unstable; urgency=medium
 
   [ Colin Watson ]
@@ -57,6 +64,7 @@ grub2 (2.06-3) unstable; urgency=medium
       loader/efi/chainloader: Use grub_loader_set_ex
     - 0066-loader-i386-efi-linux-Use-grub_loader_set_ex.patch:
       loader/i386/efi/linux: Use grub_loader_set_ex
+    - CVE-2022-28736
   * Various fixes as a result of fuzzing and static analysis:
     - 0067-kern-file-Do-not-leak-device_name-on-error-in-grub_f.patch:
       kern/file: Do not leak device_name on error in grub_file_open()