diff --git a/backport-CVE-2025-1215.patch b/backport-CVE-2025-1215.patch
new file mode 100644
index 0000000000000000000000000000000000000000..9b61d09979f26d82be573689db6d51234e5f893f
--- /dev/null
+++ b/backport-CVE-2025-1215.patch
@@ -0,0 +1,124 @@
+From c5654b84480822817bb7b69ebc97c174c91185e9 Mon Sep 17 00:00:00 2001
+From: Hirohito Higashi <h.east.727@gmail.com>
+Date: Mon, 10 Feb 2025 20:55:17 +0100
+Subject: [PATCH] patch 9.1.1097: --log with non-existent path causes a crash
+
+Problem:  --log with non-existent path causes a crash
+          (Ekkosun)
+Solution: split initialization phase and init the execution stack
+          earlier (Hirohito Higashi)
+
+fixes: #16606
+closes: #16610
+
+Signed-off-by: Hirohito Higashi <h.east.727@gmail.com>
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ src/main.c                   | 21 +++++++++++++++++----
+ src/message_test.c           |  3 ++-
+ src/proto/main.pro           |  3 ++-
+ src/testdir/test_startup.vim |  7 +++++++
+ 4 files changed, 28 insertions(+), 6 deletions(-)
+
+diff --git a/src/main.c b/src/main.c
+index ecc61f4d0be886..f603a52a52e09d 100644
+--- a/src/main.c
++++ b/src/main.c
+@@ -144,6 +144,11 @@ main
+     atexit(vim_mem_profile_dump);
+ #endif
+ 
++    /*
++     * Various initialisations #1 shared with tests.
++     */
++    common_init_1();
++
+ #if defined(STARTUPTIME) || defined(FEAT_JOB_CHANNEL)
+     // Need to find "--startuptime" and "--log" before actually parsing
+     // arguments.
+@@ -185,9 +190,9 @@ main
+ #endif
+ 
+     /*
+-     * Various initialisations shared with tests.
++     * Various initialisations #2 shared with tests.
+      */
+-    common_init(&params);
++    common_init_2(&params);
+ 
+ #ifdef VIMDLL
+     // Check if the current executable file is for the GUI subsystem.
+@@ -900,10 +905,10 @@ vim_main2(void)
+ }
+ 
+ /*
+- * Initialisation shared by main() and some tests.
++ * Initialisation #1 shared by main() and some tests.
+  */
+     void
+-common_init(mparm_T *paramp)
++common_init_1(void)
+ {
+     estack_init();
+     cmdline_init();
+@@ -925,7 +930,15 @@ common_init(mparm_T *paramp)
+ 	    || (NameBuff = alloc(MAXPATHL)) == NULL)
+ 	mch_exit(0);
+     TIME_MSG("Allocated generic buffers");
++}
++
+ 
++/*
++ * Initialisation #2 shared by main() and some tests.
++ */
++    void
++common_init_2(mparm_T *paramp)
++{
+ #ifdef NBDEBUG
+     // Wait a moment for debugging NetBeans.  Must be after allocating
+     // NameBuff.
+diff --git a/src/message_test.c b/src/message_test.c
+index 62f7772470d0e4..83767ece930899 100644
+--- a/src/message_test.c
++++ b/src/message_test.c
+@@ -508,7 +508,8 @@ main(int argc, char **argv)
+     CLEAR_FIELD(params);
+     params.argc = argc;
+     params.argv = argv;
+-    common_init(&params);
++    common_init_1();
++    common_init_2(&params);
+ 
+     set_option_value_give_err((char_u *)"encoding", 0, (char_u *)"utf-8", 0);
+     init_chartab();
+diff --git a/src/proto/main.pro b/src/proto/main.pro
+index 496fe66be6950d..7e4c50803e8ef2 100644
+--- a/src/proto/main.pro
++++ b/src/proto/main.pro
+@@ -1,6 +1,7 @@
+ /* main.c */
+ int vim_main2(void);
+-void common_init(mparm_T *paramp);
++void common_init_1(void);
++void common_init_2(mparm_T *paramp);
+ int is_not_a_term(void);
+ int is_not_a_term_or_gui(void);
+ void free_vbuf(void);
+diff --git a/src/testdir/test_startup.vim b/src/testdir/test_startup.vim
+index 7c703916045e70..c16e4ae27de3b2 100644
+--- a/src/testdir/test_startup.vim
++++ b/src/testdir/test_startup.vim
+@@ -734,6 +734,13 @@ func Test_log()
+   call delete('Xlogfile')
+ endfunc
+ 
++func Test_log_nonexistent()
++  " this used to crash Vim
++  CheckFeature channel
++  let result = join(systemlist(GetVimCommand() .. ' --log /X/Xlogfile -c qa!'))
++  call assert_match("E484: Can't open file", result)
++endfunc
++
+ func Test_read_stdin()
+   let after =<< trim [CODE]
+     write Xtestout
diff --git a/backport-CVE-2025-26603.patch b/backport-CVE-2025-26603.patch
new file mode 100644
index 0000000000000000000000000000000000000000..c161b669187e8fc7dfd3dc6ec22160bc788921ff
--- /dev/null
+++ b/backport-CVE-2025-26603.patch
@@ -0,0 +1,62 @@
+From c0f0e2380e5954f4a52a131bf6b8499838ad1dae Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <cb@256bit.org>
+Date: Sun, 16 Feb 2025 16:06:38 +0100
+Subject: [PATCH] patch 9.1.1115: [security]: use-after-free in str_to_reg()
+
+Problem:  [security]: use-after-free in str_to_reg()
+          (fizz-is-on-the-way)
+Solution: when redirecting the :display command, check that one
+          does not output to the register being displayed
+
+Github Advisory:
+https://github.com/vim/vim/security/advisories/GHSA-63p5-mwg2-787v
+
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ src/register.c                 |  3 ++-
+ src/testdir/test_registers.vim | 20 ++++++++++++++++++++
+ 2 files changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/src/register.c b/src/register.c
+index 0df05054ca7229..a9630f8ef5db93 100644
+--- a/src/register.c
++++ b/src/register.c
+@@ -2405,7 +2405,8 @@ ex_display(exarg_T *eap)
+ 
+ #ifdef FEAT_EVAL
+ 	if (name == MB_TOLOWER(redir_reg)
+-		|| (redir_reg == '"' && yb == y_previous))
++		|| (vim_strchr((char_u *)"\"*+", redir_reg) != NULL &&
++		    (yb == y_previous || yb == &y_regs[0])))
+ 	    continue;	    // do not list register being written to, the
+ 			    // pointer can be freed
+ #endif
+diff --git a/src/testdir/test_registers.vim b/src/testdir/test_registers.vim
+index 1177c2395d3f09..13127022666e04 100644
+--- a/src/testdir/test_registers.vim
++++ b/src/testdir/test_registers.vim
+@@ -929,4 +929,24 @@ func Test_register_y_append_reset()
+   bwipe!
+ endfunc
+ 
++" This caused use-after-free
++func Test_register_redir_display()
++  " don't touch the clipboard, so only perform this, when the clipboard is not working
++  if has("clipboard_working")
++    throw "Skipped: skip touching the clipboard register!"
++  endif
++  let @"=''
++  redir @+>
++  disp +"
++  redir END
++  call assert_equal("\nType Name Content", getreg('+'))
++  let a = [getreg('1'), getregtype('1')]
++  let @1='register 1'
++  redir @+
++  disp 1
++  redir END
++  call assert_equal("register 1", getreg('1'))
++  call setreg(1, a[0], a[1])
++endfunc
++
+ " vim: shiftwidth=2 sts=2 expandtab
diff --git a/vim.spec b/vim.spec
index 0bfd5f7f05d82dc8763a049ef5eabff19ff464bf..f0d472d527a7bb124babd0da4ce553cd1c9cfea8 100644
--- a/vim.spec
+++ b/vim.spec
@@ -14,7 +14,7 @@
 Name:           vim
 Epoch:          2
 Version:        %{baseversion}.%{patchlevel}
-Release:        16
+Release:        17
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@@ -56,6 +56,8 @@ Patch6021:      backport-patch-9.1.0918-tiny-vim-crashes-with-fuzzy-buffer-compl
 Patch6022:      backport-patch-9.1.0038-Unnecessary-loop-in-getvcol.patch
 Patch6023:      backport-CVE-2025-22134.patch
 Patch6024:      backport-CVE-2025-24014.patch
+Patch6025:      backport-CVE-2025-1215.patch
+Patch6026:      backport-CVE-2025-26603.patch
 
 Patch9000:      bugfix-rm-modify-info-version.patch
 Patch9001:      fix-CVE-2024-47814.patch
@@ -464,6 +466,12 @@ LC_ALL=en_US.UTF-8 make -j1 test || echo "Warning: Please check tests."
 %{_mandir}/man1/evim.*
 
 %changelog
+* Tue Feb 18 2025 wangjiang <app@cameyan.com> - 2:9.0.2092-17
+- Type:CVE
+- ID:CVE-2025-1215 CVE-2025-26603
+- SUG:NA
+- DESC:fix CVE-2025-1215 CVE-2025-26603
+
 * Mon Jan 20 2025 wangjiang <app@cameyan.com> - 2:9.0.2092-16
 - Type:CVE
 - ID:CVE-2025-22134 CVE-2025-24014