diff --git a/22729.patch b/22729.patch
new file mode 100644
index 0000000..089ce08
--- /dev/null
+++ b/22729.patch
@@ -0,0 +1,52 @@
+From a917104263ac6dda15a9c9b7ab61e3378aec58a9 Mon Sep 17 00:00:00 2001
+From: koeleck <779769+koeleck@users.noreply.github.com>
+Date: Sun, 19 Mar 2023 22:32:37 +0100
+Subject: [PATCH] fix: invalid buffer size argument to snprintf #22729
+
+Problem:
+Crash in findtags_add_match with FORTIFY_SOURCE=3.
+Note: Fedora 38 packages are now built with -D_FORTIFY_SOURCE=3 by default.
+1. Compile with overflow protection.
+2. nvim --clean
+3. :h <Space> <Tab>
+4. `*** overflow detected ***: terminated`
+
+The additional checks for the stated buffer size and the actual bounds
+of the buffer do not match. See `___snprintf_chk` in the glibc sources:
+https://sourceware.org/git/?p=glibc.git;a=blob;f=debug/snprintf_chk.c;h=59577de076c570b81307dd31c8c73e265808cf4c;hb=HEAD#l28
+
+Solution:
+Fix arithmetic error: The length of the previously written data is now
+subtracted from the total size of the buffer, instead of added on top.
+
+close #22718
+
+Backported by: Andreas Schneider <asn@cryptomilk.org>
+---
+ src/nvim/tag.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/nvim/tag.c b/src/nvim/tag.c
+index a8d8eebb0..501f31196 100644
+--- a/src/nvim/tag.c
++++ b/src/nvim/tag.c
+@@ -2029,13 +2029,14 @@ parse_line:
+             // The format is {tagname}@{lang}NUL{heuristic}NUL
+             *tagp.tagname_end = NUL;
+             len = (size_t)(tagp.tagname_end - (char_u *)tagp.tagname);
+-            mfp = xmalloc(sizeof(char) + len + 10 + ML_EXTRA + 1);
++            size_t mfp_size = sizeof(char) + len + 10 + ML_EXTRA + 1;
++            mfp = xmalloc(mfp_size);
+ 
+             p = (char_u *)mfp;
+             STRCPY(p, tagp.tagname);
+             p[len] = '@';
+             STRCPY(p + len + 1, help_lang);
+-            snprintf((char *)p + len + 1 + ML_EXTRA, STRLEN(p) + len + 1 + ML_EXTRA, "%06d",
++            snprintf(p + len + 1 + ML_EXTRA, mfp_size - (len + 1 + ML_EXTRA), "%06d",
+                      help_heuristic(tagp.tagname,
+                                     match_re ? matchoff : 0, !match_no_ic)
+                      + help_pri);
+-- 
+2.39.2
+
diff --git a/neovim.spec b/neovim.spec
index a5197cb..3e2209f 100644
--- a/neovim.spec
+++ b/neovim.spec
@@ -40,7 +40,7 @@
 
 Name:           neovim
 Version:        0.8.3
-Release:        3%{?dist}
+Release:        4%{?dist}
 
 License:        Apache-2.0 AND Vim
 Summary:        Vim-fork focused on extensibility and agility
@@ -52,6 +52,7 @@ Source2:        spec-template
 
 Patch0:         neovim-fix-fortify-source.patch
 Patch1:         https://github.com/neovim/neovim/pull/22780.patch
+Patch2:         https://github.com/neovim/neovim/pull/22729.patch
 
 Patch1000:      neovim-lua-bit32.patch
 
@@ -114,6 +115,7 @@ parts of Vim, without compromise, and more.
 %setup -q
 %patch0 -p1
 %patch1 -p1
+%patch2 -p1
 
 %if %{without luajit}
 %patch1000 -p1
@@ -1894,6 +1896,9 @@ find %{buildroot}%{_datadir} \( -name "*.bat" -o -name "*.awk" \) \
 %{_datadir}/nvim/runtime/tutor/en/vim-01-beginner.tutor.json
 
 %changelog
+* Mon Mar 27 2023 Andreas Schneider <asn@redhat.com> - 0.8.3-4
+- resolves: rhbz#2181836 - Fix snprintf buffer overflow with tags
+
 * Sat Mar 25 2023 Andreas Schneider <asn@redhat.com> - 0.8.3-3
 - resolves: rhbz#2165805 - Fix snprintf buffer overflow