diff --git a/doc/releases/release-notes-2.3.rst b/doc/releases/release-notes-2.3.rst
index c671f0d5c90..2f36e3bdbee 100644
--- a/doc/releases/release-notes-2.3.rst
+++ b/doc/releases/release-notes-2.3.rst
@@ -16,7 +16,17 @@ The following sections provide detailed lists of changes by component.
 Security Vulnerability Related
 ******************************
 
-No security vulnerabilities received.
+The following CVEs are addressed by this release:
+
+* CVE-2020-10022: UpdateHub Module Copies a Variable-Sized Hash String
+  into a fixed-size array.
+* CVE-2020-10059: UpdateHub Module Explicitly Disables TLS
+  Verification
+* CVE-2020-10062: Under embargo until 2020/05/25
+* CVE-2020-10063: Under embargo until 2020/05/25
+
+More detailed information can be found in:
+https://docs.zephyrproject.org/latest/security/vulnerabilities.html
 
 API Changes
 ***********
diff --git a/doc/security/vulnerabilities.rst b/doc/security/vulnerabilities.rst
index fcfd3a4c805..6a3614e26e7 100644
--- a/doc/security/vulnerabilities.rst
+++ b/doc/security/vulnerabilities.rst
@@ -360,6 +360,16 @@ This issue has not been fixed.
 - `Zephyr project bug tracker ZEPSEC-37
   <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-37>`_
 
+CVE-2020-10062
+--------------
+
+Under embargo until 2020/05/25
+
+CVE-2020-10063
+--------------
+
+Under embargo until 2020/05/25
+
 CVE-2020-10067
 --------------