diff --git a/0001-patch-9.1.2132-security-buffer-overflow-in-helpfile-.patch b/0001-patch-9.1.2132-security-buffer-overflow-in-helpfile-.patch
new file mode 100644
index 00000000..499bd6c0
--- /dev/null
+++ b/0001-patch-9.1.2132-security-buffer-overflow-in-helpfile-.patch
@@ -0,0 +1,43 @@
+diff --git a/src/structs.h b/src/structs.h
+index 5b88260..e8f5db3 100644
+--- a/src/structs.h
++++ b/src/structs.h
+@@ -5026,3 +5026,7 @@ typedef struct {
+     linenr_T	spv_capcol_lnum;    // line number for "cap_col"
+ #endif
+ } spellvars_T;
++
++// Return the length of a string literal
++#define STRLEN_LITERAL(s) (sizeof(s) - 1)
++
+diff --git a/src/tag.c b/src/tag.c
+index 893415f..2e7a74d 100644
+--- a/src/tag.c
++++ b/src/tag.c
+@@ -3344,7 +3344,7 @@ get_tagfname(
+ 	    if (tnp->tn_hf_idx > tag_fnames.ga_len || *p_hf == NUL)
+ 		return FAIL;
+ 	    ++tnp->tn_hf_idx;
+-	    STRCPY(buf, p_hf);
++	    vim_strncpy(buf, p_hf, MAXPATHL - 1);
+ 	    STRCPY(gettail(buf), "tags");
+ #ifdef BACKSLASH_IN_FILENAME
+ 	    slash_adjust(buf);
+diff --git a/src/testdir/test_help.vim b/src/testdir/test_help.vim
+index 6c8b3ab..bf15a42 100644
+--- a/src/testdir/test_help.vim
++++ b/src/testdir/test_help.vim
+@@ -205,5 +205,13 @@ func Test_help_using_visual_match()
+   call v9.CheckScriptFailure(lines, 'E149:')
+ endfunc
+ 
++" This caused a buffer overflow
++func Test_helpfile_overflow()
++  let _helpfile = &helpfile
++  let &helpfile = repeat('A', 5000)
++  help
++  helpclose
++  let &helpfile = _helpfile
++endfunc
+ 
+ " vim: shiftwidth=2 sts=2 expandtab
diff --git a/0001-patch-9.1.2133-Another-case-of-buffer-overflow-with-.patch b/0001-patch-9.1.2133-Another-case-of-buffer-overflow-with-.patch
new file mode 100644
index 00000000..4a4be5b9
--- /dev/null
+++ b/0001-patch-9.1.2133-Another-case-of-buffer-overflow-with-.patch
@@ -0,0 +1,52 @@
+From 21d591fb12b08b52d92253bf9ac4b866475d62d6 Mon Sep 17 00:00:00 2001
+From: zeertzjq <zeertzjq@outlook.com>
+Date: Fri, 6 Feb 2026 09:37:58 +0000
+Subject: [PATCH] patch 9.1.2133: Another case of buffer overflow with
+ 'helpfile'
+
+Problem:  Another case of buffer overflow with 'helpfile'.
+Solution: Leave room for "tags" in the buffer (zeertzjq).
+
+closes: #19340
+
+Signed-off-by: zeertzjq <zeertzjq@outlook.com>
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ runtime/doc/version9.txt  | 6 +++++-
+ src/tag.c                 | 2 +-
+ src/testdir/test_help.vim | 5 +++++
+ src/version.c             | 2 ++
+ 4 files changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/src/tag.c b/src/tag.c
+index 78e7c80a1..6968aac27 100644
+--- a/src/tag.c
++++ b/src/tag.c
+@@ -3347,7 +3347,7 @@ get_tagfname(
+ 	    if (tnp->tn_hf_idx > tag_fnames.ga_len || *p_hf == NUL)
+ 		return FAIL;
+ 	    ++tnp->tn_hf_idx;
+-	    vim_strncpy(buf, p_hf, MAXPATHL - 1);
++	    vim_strncpy(buf, p_hf, MAXPATHL - STRLEN_LITERAL("tags") - 1);
+ 	    STRCPY(gettail(buf), "tags");
+ #ifdef BACKSLASH_IN_FILENAME
+ 	    slash_adjust(buf);
+diff --git a/src/testdir/test_help.vim b/src/testdir/test_help.vim
+index d30ef17b0..1a52998f9 100644
+--- a/src/testdir/test_help.vim
++++ b/src/testdir/test_help.vim
+@@ -281,6 +281,11 @@ func Test_helpfile_overflow()
+   let &helpfile = repeat('A', 5000)
+   help
+   helpclose
++  for i in range(4089, 4096)
++    let &helpfile = repeat('A', i) .. '/A'
++    help
++    helpclose
++  endfor
+   let &helpfile = _helpfile
+ endfunc
+ 
+-- 
+2.53.0
+
diff --git a/vim.spec b/vim.spec
index 56d0d6cf..d62ab6c6 100644
--- a/vim.spec
+++ b/vim.spec
@@ -51,7 +51,7 @@ Summary: The VIM editor
 URL:     http://www.vim.org/
 Name: vim
 Version: %{baseversion}.%{patchlevel}
-Release: 6%{?dist}
+Release: 6%{?dist}.1
 Epoch: 2
 # swift.vim contains Apache 2.0 with runtime library exception:
 # which is taken as Apache-2.0 WITH Swift-exception - reported to legal as https://gitlab.com/fedora/legal/fedora-license-data/-/issues/188
@@ -110,6 +110,11 @@ Patch3007: 0001-patch-9.1.0904-Vim9-copy-paste-error-in-class_defini.patch
 Patch3008: 0001-patch-9.1.1551-security-path-traversal-issue-in-zip..patch
 # RHEL-113543 CVE-2025-53905 vim: Vim path traversial
 Patch3009: 0001-patch-9.1.1552-security-path-traversal-issue-in-tar..patch
+# RHEL-147922 CVE-2026-25749 vim: Heap Overflow in Vim
+# 0001-patch-9.1.2132-security-buffer-overflow-in-helpfile-.patch
+# 0001-patch-9.1.2133-Another-case-of-buffer-overflow-with-.patch
+Patch3010: 0001-patch-9.1.2132-security-buffer-overflow-in-helpfile-.patch
+Patch3011: 0001-patch-9.1.2133-Another-case-of-buffer-overflow-with-.patch
 
 
 # uses autoconf in spec file
@@ -437,6 +442,8 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
 %patch -P 3007 -p1 -b .typo
 %patch -P 3008 -p1 -b .zip-cve
 %patch -P 3009 -p1 -b .tar-cve
+%patch -P 3010 -p1 -b .tag-overflow
+%patch -P 3011 -p1 -b .tag-overflow2
 
 %build
 cd src
@@ -1072,6 +1079,9 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
 
 
 %changelog
+* Wed Feb 25 2026 Zdenek Dohnal <zdohnal@redhat.com> - 2:9.1.083-6.1
+- RHEL-147922 CVE-2026-25749 vim: Heap Overflow in Vim
+
 * Wed Sep 10 2025 Zdenek Dohnal <zdohnal@redhat.com> - 2:9.1.083-6
 - RHEL-113549 CVE-2025-53906 vim: Vim path traversal
 - RHEL-113543 CVE-2025-53905 vim: Vim path traversial