diff --git a/backport-CVE-2022-2923.patch b/backport-CVE-2022-2923.patch
new file mode 100644
index 0000000000000000000000000000000000000000..8d65e7dfc5370525919b62670443c15bd78b9e5e
--- /dev/null
+++ b/backport-CVE-2022-2923.patch
@@ -0,0 +1,54 @@
+From 6669de1b235843968e88844ca6d3c8dec4b01a9e Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sun, 21 Aug 2022 20:33:47 +0100
+Subject: [PATCH] patch 9.0.0240: crash when using ":mkspell" with an
+empty
+ .dic file
+
+Problem:    Crash when using ":mkspell" with an empty .dic file.
+Solution:   Check for an empty word tree.
+---
+ src/spellfile.c                |  4 +++-
+ src/testdir/test_spellfile.vim | 11 +++++++++++
+ 2 files changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/src/spellfile.c b/src/spellfile.c
+index aeeb6ad..08dcc1b 100644
+--- a/src/spellfile.c
++++ b/src/spellfile.c
+@@ -5561,10 +5561,12 @@ sug_filltree(spellinfo_T *spin, slang_T *slang)
+ 
+     /*
+      * Go through the whole case-folded tree, soundfold each word and put it
+-     * in the trie.
++     * in the trie.  Bail out if the tree is empty.
+      */
+     byts = slang->sl_fbyts;
+     idxs = slang->sl_fidxs;
++    if (byts == NULL || idxs == NULL)
++	return FAIL;
+ 
+     arridx[0] = 0;
+     curi[0] = 1;
+diff --git a/src/testdir/test_spellfile.vim b/src/testdir/test_spellfile.vim
+index 1382c02..4de7389 100644
+--- a/src/testdir/test_spellfile.vim
++++ b/src/testdir/test_spellfile.vim
+@@ -176,3 +176,14 @@ func Test_check_for_valid_word()
+   call assert_fails("spellgood! 0^B\xac", 'E1280:')
+ endfunc
+ 
++" this was using a NULL pointer
++func Test_mkspell_empty_dic()
++  call writefile(['1'], 'XtestEmpty.dic')
++  call writefile(['SOFOFROM abcd', 'SOFOTO ABCD', 'SAL CIA X'], 'XtestEmpty.aff')
++  mkspell! XtestEmpty.spl XtestEmpty
++
++  call delete('XtestEmpty.dic')
++  call delete('XtestEmpty.aff')
++  call delete('XtestEmpty.spl')
++endfunc
++
+-- 
+2.27.0
+
diff --git a/backport-CVE-2022-2946.patch b/backport-CVE-2022-2946.patch
new file mode 100644
index 0000000000000000000000000000000000000000..9d3f8f9db8a1336e18e9a7f475678a9714cfbf8b
--- /dev/null
+++ b/backport-CVE-2022-2946.patch
@@ -0,0 +1,71 @@
+From adce965162dd89bf29ee0e5baf53652e7515762c Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Mon, 22 Aug 2022 16:35:45 +0100
+Subject: [PATCH] patch 9.0.0246: using freed memory when 'tagfunc' deletes the
+ buffer
+
+Problem:    Using freed memory when 'tagfunc' deletes the buffer.
+Solution:   Make a copy of the tag name.
+---
+ src/tag.c                    |  9 ++++++++-
+ src/testdir/test_tagfunc.vim | 12 ++++++++++++
+ 2 files changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/src/tag.c b/src/tag.c
+index c00f5fb..aceb6e4 100644
+--- a/src/tag.c
++++ b/src/tag.c
+@@ -161,6 +161,7 @@ do_tag(
+     char_u	*buf_ffname = curbuf->b_ffname;	    // name to use for
+ 						    // priority computation
+     int         use_tfu = 1;
++    char_u      *tofree = NULL;
+ 
+     // remember the matches for the last used tag
+     static int		num_matches = 0;
+@@ -510,7 +511,12 @@ do_tag(
+ 	 * When desired match not found yet, try to find it (and others).
+ 	 */
+ 	if (use_tagstack)
+-	    name = tagstack[tagstackidx].tagname;
++	{
++	    // make a copy, the tagstack may change in 'tagfunc'
++	    name = vim_strsave(tagstack[tagstackidx].tagname);
++	    vim_free(tofree);
++	    tofree = name;
++	}
+ #if defined(FEAT_QUICKFIX)
+ 	else if (g_do_tagpreview != 0)
+ 	    name = ptag_entry.tagname;
+@@ -802,6 +808,7 @@ end_do_tag:
+     g_do_tagpreview = 0;	// don't do tag preview next time
+ # endif
+ 
++    vim_free(tofree);
+ #ifdef FEAT_CSCOPE
+     return jumped_to_tag;
+ #else
+diff --git a/src/testdir/test_tagfunc.vim b/src/testdir/test_tagfunc.vim
+index 242aa3a..74ad3d1 100644
+--- a/src/testdir/test_tagfunc.vim
++++ b/src/testdir/test_tagfunc.vim
+@@ -81,4 +81,16 @@ func Test_tagfunc()
+   call delete('Xfile1')
+ endfunc
+ 
++func Test_tagfunc_wipes_buffer()
++  func g:Tag0unc0(t,f,o)
++   bwipe
++  endfunc
++  set tagfunc=g:Tag0unc0
++  new
++  cal assert_fails('tag 0', 'E426:')
++
++  delfunc g:Tag0unc0
++  set tagfunc=
++endfunc
++
+ " vim: shiftwidth=2 sts=2 expandtab
+-- 
+2.27.0
+
diff --git a/vim.spec b/vim.spec
index 772d63f156759aa732cf1be76c3315839eee7a67..0f993079ba72e42f8c18d3b6baa06c00597ec2a4 100644
--- a/vim.spec
+++ b/vim.spec
@@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        8.2
-Release:        59
+Release:        60
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@@ -164,6 +164,8 @@ Patch6127:      backport-CVE-2022-2598.patch
 Patch6128:      backport-CVE-2022-2571.patch
 Patch6129:      backport-CVE-2022-1725.patch
 Patch6130:      backport-CVE-2022-2845.patch 
+Patch6131:      backport-CVE-2022-2923.patch
+Patch6132:      backport-CVE-2022-2946.patch
 
 Patch9000:      bugfix-rm-modify-info-version.patch
 
@@ -552,6 +554,12 @@ popd
 %{_mandir}/man1/evim.*
 
 %changelog
+* Mon Aug 22 2022 shixuantong <shixuantong@h-partners.com> - 2:8.2-60
+- Type:CVE
+- ID:CVE-2022-2923 CVE-2022-2946
+- SUG:NA
+- DESC:fix CVE-2022-2923 CVE-2022-2946
+
 * Fri Aug 19 2022 shixuantong <shixuantong@h-partners.com> - 2:8.2-59
 - Type:CVE
 - ID:CVE-2022-2845