CVE-2026-14191
HIGH
7.8
CVSS 3.1
Description
An out-of-bounds heap write exists in the RAR5 recovery-volume (.rev) parser in WinRAR and UnRAR (RecVolumes5::ReadHeader in recvol5.cpp). The RecItems vector is sized only when the first .rev file in a set is processed; subsequent .rev files supply an independent RecNum value that is validated against that file's own TotalCount field but never against the actual size of RecItems. A crafted set of two or more .rev files can therefore write an attacker-controlled 32-bit value (the header's RevCRC field) to RecItems[RecNum] at an attacker-controlled offset up to 65534 * sizeof(RecVolItem) bytes past the allocation, corrupting adjacent heap objects. Triggering requires the victim to run a recovery/test operation on an attacker-supplied .rev set (for example 'unrar t x.part1.rev', WinRAR 'Repair archive', or auto-recovery when extracting a volume set with a missing .rar part). This is the RAR5-path sibling of CVE-2023-40477 (which was fixed in the RAR3 path only in WinRAR 6.23). Fixed in WinRAR / RAR 7.23.
Metadata
Severity & Metrics
7.8
HIGH CVSS 3.1
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
SSVC — CISA Coordinator
Affected products (4)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| RARLAB | RAR | Windows,Linux,macOS | 0 < 7.23 |
| RARLAB | UnRAR | Windows,Linux,macOS | 0 ≤ 7.21 |
| RARLAB | UnRAR.dll | Windows | 0 < 7.23 |
| RARLAB | WinRAR | Windows | 0 < 7.23 |
Weakness (CWE)
CVSS scores (1)
| Score | Severity | Version | Source | Vector |
|---|---|---|---|---|
| 7.8 | HIGH | 3.1 | cna | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
References (2)
- WinRAR / RAR 7.23 download (fixed release, 2026-06-30) https://www.rarlab.com/download.htm
- CVE-2023-40477 - Sibling RAR3-path vulnerability fixed in WinRAR 6.23 https://nvd.nist.gov/vuln/detail/CVE-2023-40477