diff --git a/libwvdrmengine/oemcrypto/CHANGELOG.md b/libwvdrmengine/oemcrypto/CHANGELOG.md
index eef79c27..6ce869a5 100644
--- a/libwvdrmengine/oemcrypto/CHANGELOG.md
+++ b/libwvdrmengine/oemcrypto/CHANGELOG.md
@@ -163,6 +163,19 @@ OS.
   due to an edge case in the implementation of
   WPTI_GenerateRandomCertificateKeyPair().
 
+## [OPK Version 17.1.1][v17.1+opk-v17.1.1]
+
+This release only affects OPK and not any other part of OEMCrypto. This release
+fixes a flaw in the OPK code that could allow content that requires HDCP 2 to
+output over a display connection that only supports HDCP 1. This bug would only
+be triggered if the WTPI implementation reports the minor version number of
+HDCP 1 connections. If your implementation of `WTPI_CurrentHDCPCapability()`
+ever returns `HDCP_V1_0`, `HDCP_V1_1`, `HDCP_V1_2`, `HDCP_V1_3`, or `HDCP_V1_4`,
+your device is vulnerable and you should take this patch urgently. If your
+implementation of `WTPI_CurrentHDCPCapability()` only ever returns `HDCP_V1` for
+HDCP 1 connections or does not support HDCP 1, then your device is not affected.
+You will not need to change your WTPI implementation to apply this patch.
+
 ## [Version 17.1][v17.1]
 
 This release contains a major change to the build process for the OP-TEE port,
@@ -324,3 +337,4 @@ Public release for OEMCrypto API and ODK library version 16.4.
 [v17+test-updates+opk]: https://widevine-partner.googlesource.com/oemcrypto/+/refs/tags/v17+test-updates+opk
 [v17+test-updates+opk+mk]: https://widevine-partner.googlesource.com/oemcrypto/+/refs/tags/v17+test-updates+opk+mk
 [v17.1]: https://widevine-partner.googlesource.com/oemcrypto/+/refs/tags/v17.1
+[v17.1+opk-v17.1.1]: https://widevine-partner.googlesource.com/oemcrypto/+/refs/tags/v17.1+opk-v17.1.1