diff --git a/0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch b/0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch
new file mode 100644
index 0000000..3d45b8e
--- /dev/null
+++ b/0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch
@@ -0,0 +1,44 @@
+diff -up vim82/src/regexp_bt.c.cve1154 vim82/src/regexp_bt.c
+--- vim82/src/regexp_bt.c.cve1154	2022-04-25 15:22:28.367621755 +0200
++++ vim82/src/regexp_bt.c	2022-04-25 15:25:13.726340728 +0200
+@@ -3188,8 +3188,17 @@ regmatch(
+ 		int	mark = OPERAND(scan)[0];
+ 		int	cmp = OPERAND(scan)[1];
+ 		pos_T	*pos;
++		size_t	col = REG_MULTI ? rex.input - rex.line : 0;
+ 
+ 		pos = getmark_buf(rex.reg_buf, mark, FALSE);
++
++		// Line may have been freed, get it again.
++		if (REG_MULTI)
++		{
++		    rex.line = reg_getline(rex.lnum);
++		    rex.input = rex.line + col;
++		}
++
+ 		if (pos == NULL		     // mark doesn't exist
+ 			|| pos->lnum <= 0    // mark isn't set in reg_buf
+ 			|| (pos->lnum == rex.lnum + rex.reg_firstlnum
+diff -up vim82/src/testdir/test_regexp_latin.vim.cve1154 vim82/src/testdir/test_regexp_latin.vim
+--- vim82/src/testdir/test_regexp_latin.vim.cve1154	2022-04-25 15:22:28.368621752 +0200
++++ vim82/src/testdir/test_regexp_latin.vim	2022-04-25 15:26:57.515227712 +0200
+@@ -954,4 +954,19 @@ func Test_using_visual_position()
+   bwipe!
+ endfunc
+ 
++func Test_using_mark_position()
++  " this was using freed memory
++  " new engine
++  new
++  norm O0
++  call assert_fails("s/\\%')", 'E486:')
++  bwipe!
++
++  " old engine
++  new
++  norm O0
++  call assert_fails("s/\\%#=1\\%')", 'E486:')
++  bwipe!
++endfunc
++
+ " vim: shiftwidth=2 sts=2 expandtab
diff --git a/vim.spec b/vim.spec
index c932b19..00dbd32 100644
--- a/vim.spec
+++ b/vim.spec
@@ -27,7 +27,7 @@ Summary: The VIM editor
 URL:     http://www.vim.org/
 Name: vim
 Version: %{baseversion}.%{patchlevel}
-Release: 16%{?dist}
+Release: 17%{?dist}
 License: Vim and MIT
 Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2
 Source1: virc
@@ -120,6 +120,8 @@ Patch3043: 0001-patch-8.2.4436-crash-with-weird-vartabstop-value.patch
 Patch3044: 0001-patch-8.2.4327-may-end-up-with-no-current-buffer.patch
 # CVE-2022-0943 vim: Heap-based Buffer Overflow occurs in vim
 Patch3045: 0001-patch-8.2.4563-z-in-Visual-mode-may-go-beyond-the-en.patch
+# CVE-2022-1154 vim: use after free in utf_ptr2char
+Patch3046: 0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch
 
 # gcc is no longer in buildroot by default
 BuildRequires: gcc
@@ -352,6 +354,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
 %patch3043 -p1 -b .cve0714
 %patch3044 -p1 -b .cve0554
 %patch3045 -p1 -b .cve0943
+%patch3046 -p1 -b .cve1154
 
 %build
 cd src
@@ -909,6 +912,9 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
 %endif
 
 %changelog
+* Mon Apr 25 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-17
+- CVE-2022-1154 vim: use after free in utf_ptr2char
+
 * Mon Mar 28 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-16
 - CVE-2022-0554 vim: Use of Out-of-range Pointer Offset in vim prior
 - CVE-2022-0943 vim: Heap-based Buffer Overflow occurs in vim