diff --git a/SOURCES/0001-patch-8.2.3949-using-freed-memory-with-V.patch b/SOURCES/0001-patch-8.2.3949-using-freed-memory-with-V.patch
new file mode 100644
index 0000000..6a6ae25
--- /dev/null
+++ b/SOURCES/0001-patch-8.2.3949-using-freed-memory-with-V.patch
@@ -0,0 +1,44 @@
+diff -up vim82/src/regexp.c.cve4192 vim82/src/regexp.c
+--- vim82/src/regexp.c.cve4192	2021-03-22 10:02:42.000000000 +0100
++++ vim82/src/regexp.c	2022-01-13 10:54:17.629176807 +0100
+@@ -1316,9 +1316,9 @@ reg_match_visual(void)
+     if (lnum < top.lnum || lnum > bot.lnum)
+ 	return FALSE;
+ 
++    col = (colnr_T)(rex.input - rex.line);
+     if (mode == 'v')
+     {
+-	col = (colnr_T)(rex.input - rex.line);
+ 	if ((lnum == top.lnum && col < top.col)
+ 		|| (lnum == bot.lnum && col >= bot.col + (*p_sel != 'e')))
+ 	    return FALSE;
+@@ -1333,7 +1333,12 @@ reg_match_visual(void)
+ 	    end = end2;
+ 	if (top.col == MAXCOL || bot.col == MAXCOL)
+ 	    end = MAXCOL;
+-	cols = win_linetabsize(wp, rex.line, (colnr_T)(rex.input - rex.line));
++
++	// getvvcol() flushes rex.line, need to get it again
++	rex.line = reg_getline(rex.lnum);
++	rex.input = rex.line + col;
++
++	cols = win_linetabsize(wp, rex.line, col);
+ 	if (cols < start || cols > end - (*p_sel == 'e'))
+ 	    return FALSE;
+     }
+diff -up vim82/src/testdir/test_regexp_latin.vim.cve4192 vim82/src/testdir/test_regexp_latin.vim
+--- vim82/src/testdir/test_regexp_latin.vim.cve4192	2022-01-13 10:52:05.508789448 +0100
++++ vim82/src/testdir/test_regexp_latin.vim	2022-01-13 10:52:05.510789454 +0100
+@@ -946,4 +946,12 @@ func Test_using_invalid_visual_position(
+   bwipe!
+ endfunc
+ 
++func Test_using_visual_position()
++  " this was using freed memory
++  new
++  exe "norm 0o\<Esc>\<C-V>k\<C-X>o0"
++  /\%V
++  bwipe!
++endfunc
++
+ " vim: shiftwidth=2 sts=2 expandtab
diff --git a/SOURCES/0001-patch-8.2.3950-going-beyond-the-end-of-the-line-with.patch b/SOURCES/0001-patch-8.2.3950-going-beyond-the-end-of-the-line-with.patch
new file mode 100644
index 0000000..885bc35
--- /dev/null
+++ b/SOURCES/0001-patch-8.2.3950-going-beyond-the-end-of-the-line-with.patch
@@ -0,0 +1,39 @@
+diff -up vim82/src/charset.c.cve4193 vim82/src/charset.c
+--- vim82/src/charset.c.cve4193	2021-03-22 10:02:42.000000000 +0100
++++ vim82/src/charset.c	2022-01-13 10:14:55.634913386 +0100
+@@ -1232,10 +1232,15 @@ getvcol(
+ 	posptr = NULL;  // continue until the NUL
+     else
+     {
+-	// Special check for an empty line, which can happen on exit, when
+-	// ml_get_buf() always returns an empty string.
+-	if (*ptr == NUL)
+-	    pos->col = 0;
++	colnr_T i;
++
++	// In a few cases the position can be beyond the end of the line.
++	for (i = 0; i < pos->col; ++i)
++	    if (ptr[i] == NUL)
++	    {
++		pos->col = i;
++		break;
++	    }
+ 	posptr = ptr + pos->col;
+ 	if (has_mbyte)
+ 	    // always start on the first byte
+diff -up vim82/src/testdir/test_regexp_latin.vim.cve4193 vim82/src/testdir/test_regexp_latin.vim
+--- vim82/src/testdir/test_regexp_latin.vim.cve4193	2022-01-13 10:14:55.634913386 +0100
++++ vim82/src/testdir/test_regexp_latin.vim	2022-01-13 10:17:01.905292715 +0100
+@@ -938,4 +938,12 @@ func Test_regexp_last_subst_string()
+   close!
+ endfunc
+ 
++func Test_using_invalid_visual_position()
++  " this was going beyond the end of the line
++  new
++  exe "norm 0o000\<Esc>0\<C-V>$s0"
++  /\%V
++  bwipe!
++endfunc
++
+ " vim: shiftwidth=2 sts=2 expandtab
diff --git a/SPECS/vim.spec b/SPECS/vim.spec
index bcbf058..234c6df 100644
--- a/SPECS/vim.spec
+++ b/SPECS/vim.spec
@@ -27,7 +27,7 @@ Summary: The VIM editor
 URL:     http://www.vim.org/
 Name: vim
 Version: %{baseversion}.%{patchlevel}
-Release: 9%{?dist}
+Release: 10%{?dist}
 License: Vim and MIT
 Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2
 Source1: virc
@@ -84,6 +84,10 @@ Patch3025: 0001-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch
 Patch3026: 0001-patch-8.2.3625-illegal-memory-access-when-C-indentin.patch
 # 2028431 - CVE-2021-4019 vim: heap-based buffer overflow in find_help_tags() in src/help.c [rhel-9.0]
 Patch3027: 0001-patch-8.2.3669-buffer-overflow-with-long-help-argume.patch
+# CVE-2021-4193 vim: vulnerable to Out-of-bounds Read
+Patch3028: 0001-patch-8.2.3950-going-beyond-the-end-of-the-line-with.patch
+# CVE-2021-4192 vim: vulnerable to Use After Free
+Patch3029: 0001-patch-8.2.3949-using-freed-memory-with-V.patch
 
 # gcc is no longer in buildroot by default
 BuildRequires: gcc
@@ -298,6 +302,8 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
 %patch3025 -p1 -b .cve-win-redr
 %patch3026 -p1 -b .cve3984
 %patch3027 -p1 -b .cve4019
+%patch3028 -p1 -b .cve4193
+%patch3029 -p1 -b .cve4192
 
 %build
 cd src
@@ -855,7 +861,11 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
 %endif
 
 %changelog
-* Mon Dec 02 2021 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-9
+* Thu Jan 13 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-10
+- CVE-2021-4193 vim: vulnerable to Out-of-bounds Read
+- CVE-2021-4192 vim: vulnerable to Use After Free
+
+* Mon Dec 06 2021 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-9
 - 2028431 - CVE-2021-4019 vim: heap-based buffer overflow in find_help_tags() in src/help.c [rhel-9.0]
 
 * Thu Dec 02 2021 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-9