CVE-2026-14191
Received Received - Intake

Heap-based Buffer Overflow in WinRAR and UnRAR

Vulnerability report for CVE-2026-14191, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: securin

Description

An out-of-bounds heap write exists in the RAR5 recovery-volume (.rev) parser in WinRAR and UnRAR (RecVolumes5::ReadHeader in recvol5.cpp). The RecItems vector is sized only when the first .rev file in a set is processed; subsequent .rev files supply an independent RecNum value that is validated against that file's own TotalCount field but never against the actual size of RecItems. A crafted set of two or more .rev files can therefore write an attacker-controlled 32-bit value (the header's RevCRC field) to RecItems[RecNum] at an attacker-controlled offset up to 65534 * sizeof(RecVolItem) bytes past the allocation, corrupting adjacent heap objects. Triggering requires the victim to run a recovery/test operation on an attacker-supplied .rev set (for example 'unrar t x.part1.rev', WinRAR 'Repair archive', or auto-recovery when extracting a volume set with a missing .rar part). This is the RAR5-path sibling of CVE-2023-40477 (which was fixed in the RAR3 path only in WinRAR 6.23). Fixed in WinRAR / RAR 7.23.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
rarlab winrar 7.23
rarlab winrar 6.21

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
CWE-129 The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is an out-of-bounds heap write in the RAR5 recovery-volume (.rev) parser used by WinRAR and UnRAR. Specifically, when processing multiple .rev files, the software incorrectly validates an index (RecNum) against the current file's TotalCount but not against the actual size of an internal vector (RecItems). This allows an attacker to write a crafted 32-bit value to memory beyond the allocated buffer, corrupting adjacent heap objects.

To exploit this, a victim must run a recovery or test operation on a specially crafted set of .rev files, such as using the 'unrar t' command or the 'Repair archive' feature in WinRAR. This vulnerability is related to a previous similar issue (CVE-2023-40477) but affects the RAR5 path and was fixed in WinRAR/RAR version 7.23.

Impact Analysis

Exploitation of this vulnerability can lead to corruption of heap memory, which may allow an attacker to execute arbitrary code with the privileges of the user running the vulnerable software.

The CVSS v3.1 base score of 7.8 indicates a high severity, with impacts including high confidentiality, integrity, and availability losses. However, exploitation requires local access and user interaction, such as running a recovery operation on attacker-supplied files.

Detection Guidance

Detection of this vulnerability involves identifying the presence of vulnerable versions of WinRAR or UnRAR software on your system, particularly versions prior to 7.23.

Since exploitation requires running recovery or test operations on specially crafted .rev files, monitoring for unusual or unexpected use of commands like 'unrar t' or 'WinRAR Repair archive' on .rev files may help detect attempts to trigger the vulnerability.

Specific commands to check the installed WinRAR version include:

  • On Windows, run: "WinRAR.exe" and check the About section or run "WinRAR.exe" from command line with the -v option to display version.
  • On Linux, run: "unrar" or "rar" with the "--version" or "-v" flag to determine the version.

Additionally, monitoring logs or network traffic for execution of recovery operations on .rev files may help detect exploitation attempts.

Mitigation Strategies

The primary mitigation step is to update WinRAR or UnRAR to version 7.23 or later, where this vulnerability has been fixed.

Until the update can be applied, avoid running recovery or test operations on .rev recovery-volume files from untrusted or unknown sources.

Educate users to not open or repair suspicious RAR archives, especially those containing .rev files.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14191. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart