diff --git a/backport-CVE-2023-46246.patch b/backport-CVE-2023-46246.patch
new file mode 100644
index 0000000000000000000000000000000000000000..b4ec1fbc3e8f9839c3ecbe4bed09ab43a53e88b5
--- /dev/null
+++ b/backport-CVE-2023-46246.patch
@@ -0,0 +1,102 @@
+From 9198c1f2b1ddecde22af918541e0de2a32f0f45a Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <cb@256bit.org>
+Date: Thu, 26 Oct 2023 21:29:32 +0200
+Subject: [PATCH] patch 9.0.2068: [security] overflow in :history
+
+Problem:  [security] overflow in :history
+Solution: Check that value fits into int
+
+The get_list_range() function, used to parse numbers for the :history
+and :clist command internally uses long variables to store the numbers.
+However function arguments are integer pointers, which can then
+overflow.
+
+Check that the return value from the vim_str2nr() function is not larger
+than INT_MAX and if yes, bail out with an error. I guess nobody uses a
+cmdline/clist history that needs so many entries... (famous last words).
+
+It is only a moderate vulnerability, so impact should be low.
+
+Github Advisory:
+https://github.com/vim/vim/security/advisories/GHSA-q22m-h7m2-9mgm
+
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ src/cmdhist.c                |  5 ++++-
+ src/errors.h                 |  2 ++
+ src/ex_getln.c               | 10 +++++++++-
+ src/testdir/test_history.vim |  8 ++++++++
+ 4 files changed, 23 insertions(+), 2 deletions(-)
+
+diff --git a/src/cmdhist.c b/src/cmdhist.c
+index d398ca7a687b5..96a9b3e95b86f 100644
+--- a/src/cmdhist.c
++++ b/src/cmdhist.c
+@@ -740,7 +740,10 @@ ex_history(exarg_T *eap)
+ 	end = arg;
+     if (!get_list_range(&end, &hisidx1, &hisidx2) || *end != NUL)
+     {
+-	semsg(_(e_trailing_characters_str), end);
++	if (*end != NUL)
++	    semsg(_(e_trailing_characters_str), end);
++	else
++	    semsg(_(e_val_too_large), arg);
+ 	return;
+     }
+ 
+diff --git a/src/errors.h b/src/errors.h
+index 79a785e1e2953..72957d8b93bdc 100644
+--- a/src/errors.h
++++ b/src/errors.h
+@@ -3306,3 +3306,5 @@ EXTERN char e_substitute_nesting_too_deep[]
+ #endif
+ EXTERN char e_window_unexpectedly_close_while_searching_for_tags[]
+ 	INIT(= N_("E1299: Window unexpectedly closed while searching for tags"));
++EXTERN char e_val_too_large[]
++	INIT(= N_("E1510: Value too large: %s"));
+diff --git a/src/ex_getln.c b/src/ex_getln.c
+index 9683e2ebd5af5..8f0be520886be 100644
+--- a/src/ex_getln.c
++++ b/src/ex_getln.c
+@@ -4326,6 +4326,10 @@ get_list_range(char_u **str, int *num1, int *num2)
+     {
+ 	vim_str2nr(*str, NULL, &len, 0, &num, NULL, 0, FALSE);
+ 	*str += len;
++	// overflow
++	if (num > INT_MAX)
++	    return FAIL;
++
+ 	*num1 = (int)num;
+ 	first = TRUE;
+     }
+@@ -4336,8 +4340,12 @@ get_list_range(char_u **str, int *num1, int *num2)
+ 	vim_str2nr(*str, NULL, &len, 0, &num, NULL, 0, FALSE);
+ 	if (len > 0)
+ 	{
+-	    *num2 = (int)num;
+ 	    *str = skipwhite(*str + len);
++	    // overflow
++	    if (num > INT_MAX)
++		return FAIL;
++
++	    *num2 = (int)num;
+ 	}
+ 	else if (!first)		// no number given at all
+ 	    return FAIL;
+diff --git a/src/testdir/test_history.vim b/src/testdir/test_history.vim
+index bb6d67172585e..482328ab4aaef 100644
+--- a/src/testdir/test_history.vim
++++ b/src/testdir/test_history.vim
+@@ -249,4 +249,12 @@ func Test_history_crypt_key()
+   set key& bs& ts&
+ endfunc
+ 
++" The following used to overflow and causing an use-after-free
++func Test_history_max_val()
++
++  set history=10
++  call assert_fails(':history 2147483648', 'E1510:')
++  set history&
++endfunc
++
+ " vim: shiftwidth=2 sts=2 expandtab
diff --git a/vim.spec b/vim.spec
index a4ab910a490af034f2338022d59ccb06e6d927f5..851fb4c6729706b4d1ba0013891e22bd07533a52 100644
--- a/vim.spec
+++ b/vim.spec
@@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        9.0
-Release:        18
+Release:        19
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@@ -109,6 +109,7 @@ Patch6079:      backport-CVE-2023-4781.patch
 Patch6080:      backport-CVE-2023-5344.patch
 Patch6081:      backport-CVE-2023-5441.patch
 Patch6082:      backport-CVE-2023-5535.patch
+Patch6083:      backport-CVE-2023-46246.patch
 
 Patch9000:      bugfix-rm-modify-info-version.patch
 
@@ -516,6 +517,12 @@ LC_ALL=en_US.UTF-8 make -j1 test
 %{_mandir}/man1/evim.*
 
 %changelog
+* Wed Nov 01 2023 wangjiang <wangjiang37@h-partners.com> - 2:9.0-19
+- Type:CVE
+- ID:CVE-2023-46246
+- SUG:NA
+- DESC:fix CVE-2023-46246
+
 * Mon Oct 16 2023 wangjiang <wangjiang37@h-partners.com> - 2:9.0-18
 - Type:CVE
 - ID:CVE-2023-5441 CVE-2023-5535