- CVE-2021-3875: fix ml_get error after search with range; clamp ea->line2 to the buffer length in get_address() so out-of-range addresses do not produce an out-of-bounds read (ex_docmd.c, upstream patch 8.2.3489) - CVE-2022-4293: fix crash when dividing the largest negative integer by -1 in num_divide(); detect the LONG_MIN / -1 case and clamp the result (typval.c, upstream patch 9.0.0913) - CVE-2023-48231: fix use-after-free in win_close() when an autocmd closes a previously-validated window; re-check window validity before setting w_closing (window.c, upstream patch 9.0.2106) - CVE-2023-48235: fix integer overflow in ex address parsing; verify lnum is positive before subtracting from LONG_MAX in get_address() and add e_line_number_out_of_range[] in src/errors.h (ex_docmd.c + errors.h, upstream patches 8.2.3659 + 9.0.2110) - CVE-2024-41957: fix use-after-free in tagstack_clear_entry(); use VIM_CLEAR to NULL pointers when freeing the tagstack on win_free (window.c, upstream patch 9.1.0647) - CVE-2024-43374: fix use-after-free in alist_add(); lock the current window across the buflist_add() autocmd window so its tagstack reference cannot be freed underneath us (arglist.c, upstream patch 9.1.0678) - CVE-2024-47814: fix use-after-free when closing a buffer; abort do_ecmd() if the new buffer is marked for deletion via b_locked or b_locked_split (ex_cmds.c, upstream patch 9.1.0764)