- CVE-2021-3903: do not set VALID_BOTLINE in w_valid when the screen is not valid, preventing invalid memory access while scrolling. - CVE-2021-4069: copy the current line before regexec in ex_open() so the match is not using freed memory when searching for a mark flushes it. - CVE-2022-0351: limit eval7() recursion to 1000 levels to prevent a stack overflow from many nested "(" in an expression. - CVE-2022-2129: disallow switching buffers in a substitute expression by extending the do_exedit() lock check to cover textlock as well. - CVE-2022-2183: avoid reading past the NUL terminator in get_lisp_indent(). - CVE-2022-2287: reject words containing control characters or a trailing slash before adding them to the internal spell word list. - CVE-2022-3234: guard PBYTE against the cursor landing past the NUL in op_replace() with virtualedit, and skip the virtualedit coladd branch when a replacement has already happened. - CVE-2022-3520: clamp b_op_end.col to zero in do_put() to prevent a negative column with Visual block put. - CVE-2022-3591: disallow navigating to a dummy buffer in do_buffer() to prevent use-after-free.