- CVE-2021-3796: fix use-after-free in nv_replace by getting the line pointer again after ins_copychar may have released it - CVE-2021-3973: fix heap buffer overflow in find_file_in_path_option by rejecting len == 0 inputs - CVE-2022-0413: fix use-after-free in do_sub when the substitute string is a "\=" expression by copying the string before eval - CVE-2022-0943: fix heap overflow in spell_suggest when "z=" in Visual mode by clamping badlen to the remaining line length - CVE-2022-1620: fix NULL pointer access by guarding both vim_regexec calls in fname_match and the second fname_match call in buflist_match against rmp->regprog becoming NULL after the AUTOMATIC_ENGINE fallback fails to recompile the pattern - CVE-2022-1796: fix use-after-free in find_pattern_in_path by making a copy of the identifier pointer before the call - CVE-2022-2207: fix read-before-start-of-line in ins_bs by requiring w_cursor.col > 0 in the whitespace back-step loop - CVE-2022-3235: fix use-after-free in cmdline input-method handling by tracking the owning buffer and checking buf_valid - CVE-2022-3296: fix buffer underflow in ex_finally by searching for a valid CSF_TRY frame before accessing cs_flags - CVE-2023-46246: fix integer overflow in :history by clamping long values to INT_MAX before casting to int - CVE-2023-48231: fix use-after-free in win_close by returning early when the window is no longer valid after BufLeave - CVE-2023-48706: fix use-after-free in ex_substitute by always allocating sub and freeing it on every exit path - CVE-2026-33412: fix command injection via newline in glob() by adding '\n' to the SHELL_SPECIAL escape set