diff --git a/vim-cve-var-retab.patch b/vim-cve-var-retab.patch
new file mode 100644
index 0000000..e262955
--- /dev/null
+++ b/vim-cve-var-retab.patch
@@ -0,0 +1,200 @@
+diff --git a/src/indent.c b/src/indent.c
+index e1c6f52..a002b4b 100644
+--- a/src/indent.c
++++ b/src/indent.c
+@@ -18,18 +18,19 @@
+ /*
+  * Set the integer values corresponding to the string setting of 'vartabstop'.
+  * "array" will be set, caller must free it if needed.
++ * Return FAIL for an error.
+  */
+     int
+ tabstop_set(char_u *var, int **array)
+ {
+-    int valcount = 1;
+-    int t;
+-    char_u *cp;
++    int	    valcount = 1;
++    int	    t;
++    char_u  *cp;
+ 
+     if (var[0] == NUL || (var[0] == '0' && var[1] == NUL))
+     {
+ 	*array = NULL;
+-	return TRUE;
++	return OK;
+     }
+ 
+     for (cp = var; *cp != NUL; ++cp)
+@@ -43,8 +44,8 @@ tabstop_set(char_u *var, int **array)
+ 		if (cp != end)
+ 		    emsg(_(e_positive));
+ 		else
+-		    emsg(_(e_invarg));
+-		return FALSE;
++		    semsg(_(e_invarg2), cp);
++		return FAIL;
+ 	    }
+ 	}
+ 
+@@ -55,26 +56,36 @@ tabstop_set(char_u *var, int **array)
+ 	    ++valcount;
+ 	    continue;
+ 	}
+-	emsg(_(e_invarg));
+-	return FALSE;
++	semsg(_(e_invarg2), var);
++	return FAIL;
+     }
+ 
+     *array = ALLOC_MULT(int, valcount + 1);
+     if (*array == NULL)
+-	return FALSE;
++	return FAIL;
+     (*array)[0] = valcount;
+ 
+     t = 1;
+     for (cp = var; *cp != NUL;)
+     {
+-	(*array)[t++] = atoi((char *)cp);
+-	while (*cp  != NUL && *cp != ',')
++	int n = atoi((char *)cp);
++
++	// Catch negative values, overflow and ridiculous big values.
++	if (n < 0 || n > 9999)
++	{
++	    semsg(_(e_invarg2), cp);
++	    vim_free(*array);
++	    *array = NULL;
++	    return FAIL;
++	}
++	(*array)[t++] = n;
++	while (*cp != NUL && *cp != ',')
+ 	    ++cp;
+ 	if (*cp != NUL)
+ 	    ++cp;
+     }
+ 
+-    return TRUE;
++    return OK;
+ }
+ 
+ /*
+@@ -1561,7 +1572,7 @@ ex_retab(exarg_T *eap)
+ 
+ #ifdef FEAT_VARTABS
+     new_ts_str = eap->arg;
+-    if (!tabstop_set(eap->arg, &new_vts_array))
++    if (tabstop_set(eap->arg, &new_vts_array) == FAIL)
+ 	return;
+     while (vim_isdigit(*(eap->arg)) || *(eap->arg) == ',')
+ 	++(eap->arg);
+@@ -1577,12 +1588,18 @@ ex_retab(exarg_T *eap)
+     else
+ 	new_ts_str = vim_strnsave(new_ts_str, eap->arg - new_ts_str);
+ #else
+-    new_ts = getdigits(&(eap->arg));
+-    if (new_ts < 0)
++    ptr = eap->arg;
++    new_ts = getdigits(&ptr);
++    if (new_ts < 0 && *eap->arg == '-')
+     {
+ 	emsg(_(e_positive));
+ 	return;
+     }
++    if (new_ts < 0 || new_ts > 9999)
++    {
++	semsg(_(e_invarg2), eap->arg);
++	return;
++    }
+     if (new_ts == 0)
+ 	new_ts = curbuf->b_p_ts;
+ #endif
+diff --git a/src/option.c b/src/option.c
+index b9d7edb..9a3b71e 100644
+--- a/src/option.c
++++ b/src/option.c
+@@ -2349,9 +2349,9 @@ didset_options2(void)
+ #endif
+ #ifdef FEAT_VARTABS
+     vim_free(curbuf->b_p_vsts_array);
+-    tabstop_set(curbuf->b_p_vsts, &curbuf->b_p_vsts_array);
++    (void)tabstop_set(curbuf->b_p_vsts, &curbuf->b_p_vsts_array);
+     vim_free(curbuf->b_p_vts_array);
+-    tabstop_set(curbuf->b_p_vts,  &curbuf->b_p_vts_array);
++    (void)tabstop_set(curbuf->b_p_vts,  &curbuf->b_p_vts_array);
+ #endif
+ }
+ 
+@@ -5828,7 +5828,7 @@ buf_copy_options(buf_T *buf, int flags)
+ 	    buf->b_p_vsts = vim_strsave(p_vsts);
+ 	    COPY_OPT_SCTX(buf, BV_VSTS);
+ 	    if (p_vsts && p_vsts != empty_option)
+-		tabstop_set(p_vsts, &buf->b_p_vsts_array);
++		(void)tabstop_set(p_vsts, &buf->b_p_vsts_array);
+ 	    else
+ 		buf->b_p_vsts_array = 0;
+ 	    buf->b_p_vsts_nopaste = p_vsts_nopaste
+@@ -5988,7 +5988,7 @@ buf_copy_options(buf_T *buf, int flags)
+ 		buf->b_p_isk = save_p_isk;
+ #ifdef FEAT_VARTABS
+ 		if (p_vts && p_vts != empty_option && !buf->b_p_vts_array)
+-		    tabstop_set(p_vts, &buf->b_p_vts_array);
++		    (void)tabstop_set(p_vts, &buf->b_p_vts_array);
+ 		else
+ 		    buf->b_p_vts_array = NULL;
+ #endif
+@@ -6003,7 +6003,7 @@ buf_copy_options(buf_T *buf, int flags)
+ 		buf->b_p_vts = vim_strsave(p_vts);
+ 		COPY_OPT_SCTX(buf, BV_VTS);
+ 		if (p_vts && p_vts != empty_option && !buf->b_p_vts_array)
+-		    tabstop_set(p_vts, &buf->b_p_vts_array);
++		    (void)tabstop_set(p_vts, &buf->b_p_vts_array);
+ 		else
+ 		    buf->b_p_vts_array = NULL;
+ #endif
+@@ -6700,7 +6700,7 @@ paste_option_changed(void)
+ 	    if (buf->b_p_vsts_array)
+ 		vim_free(buf->b_p_vsts_array);
+ 	    if (buf->b_p_vsts && buf->b_p_vsts != empty_option)
+-		tabstop_set(buf->b_p_vsts, &buf->b_p_vsts_array);
++		(void)tabstop_set(buf->b_p_vsts, &buf->b_p_vsts_array);
+ 	    else
+ 		buf->b_p_vsts_array = 0;
+ #endif
+diff --git a/src/optionstr.c b/src/optionstr.c
+index 521242d..db015e8 100644
+--- a/src/optionstr.c
++++ b/src/optionstr.c
+@@ -2215,7 +2215,7 @@ ambw_end:
+ 	    if (errmsg == NULL)
+ 	    {
+ 		int *oldarray = curbuf->b_p_vsts_array;
+-		if (tabstop_set(*varp, &(curbuf->b_p_vsts_array)))
++		if (tabstop_set(*varp, &(curbuf->b_p_vsts_array)) == OK)
+ 		{
+ 		    if (oldarray)
+ 			vim_free(oldarray);
+@@ -2254,7 +2254,7 @@ ambw_end:
+ 	    {
+ 		int *oldarray = curbuf->b_p_vts_array;
+ 
+-		if (tabstop_set(*varp, &(curbuf->b_p_vts_array)))
++		if (tabstop_set(*varp, &(curbuf->b_p_vts_array)) == OK)
+ 		{
+ 		    vim_free(oldarray);
+ #ifdef FEAT_FOLDING
+diff --git a/src/testdir/test_retab.vim b/src/testdir/test_retab.vim
+index b792da5..c7190aa 100644
+--- a/src/testdir/test_retab.vim
++++ b/src/testdir/test_retab.vim
+@@ -75,6 +75,9 @@ endfunc
+ func Test_retab_error()
+   call assert_fails('retab -1',  'E487:')
+   call assert_fails('retab! -1', 'E487:')
++  call assert_fails('ret -1000', 'E487:')
++  call assert_fails('ret 10000', 'E475:')
++  call assert_fails('ret 80000000000000000000', 'E475:')
+ endfunc
+ 
+ " vim: shiftwidth=2 sts=2 expandtab
diff --git a/vim.spec b/vim.spec
index 2b9cdc5..83668d8 100644
--- a/vim.spec
+++ b/vim.spec
@@ -70,6 +70,8 @@ Patch3017: vim-python3-tests.patch
 Patch3018: vim-crypto-warning.patch
 Patch3019: 0001-patch-8.2.3115-Coverity-complains-about-free_wininfo.patch
 Patch3020: 0001-patch-8.2.3290-Vim9-compiling-dict-may-use-pointer-a.patch
+# 2002320 - CVE-2021-3770 vim: using retab with large value may lead to heap buffer overflow [rhel-9.0]
+Patch3021: vim-cve-var-retab.patch
 
 # gcc is no longer in buildroot by default
 BuildRequires: gcc
@@ -277,6 +279,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
 %patch3018 -p1 -b .fips-warning
 %patch3019 -p1 -b .covscan-free-wininfo
 %patch3020 -p1 -b .covscan-key-freed
+%patch3021 -p1 -b .cve-var-retab
 
 %build
 cd src
@@ -839,6 +842,7 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
 - 2011424 - Remove vim-7.4-syncolor.patch
 - 2011429 - Remove downstream patch vim-7.4-nowarning.patch
 - 2011749 - Update test suite to work without default mouse behavior
+- 2002320 - CVE-2021-3770 vim: using retab with large value may lead to heap buffer overflow [rhel-9.0]
 
 * Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 2:8.2.2637-5
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags