CVE-2026-14191 PUBLISHED

WinRAR / UnRAR RAR5 recovery-volume (.rev) out-of-bounds heap write in RecVolumes5::ReadHeader

Assigner: securin
Reserved: 30.06.2026 Published: 01.07.2026 Updated: 01.07.2026

An out-of-bounds heap write exists in the RAR5 recovery-volume (.rev) parser in WinRAR and UnRAR (RecVolumes5::ReadHeader in recvol5.cpp). The RecItems vector is sized only when the first .rev file in a set is processed; subsequent .rev files supply an independent RecNum value that is validated against that file's own TotalCount field but never against the actual size of RecItems. A crafted set of two or more .rev files can therefore write an attacker-controlled 32-bit value (the header's RevCRC field) to RecItems[RecNum] at an attacker-controlled offset up to 65534 * sizeof(RecVolItem) bytes past the allocation, corrupting adjacent heap objects. Triggering requires the victim to run a recovery/test operation on an attacker-supplied .rev set (for example 'unrar t x.part1.rev', WinRAR 'Repair archive', or auto-recovery when extracting a volume set with a missing .rar part). This is the RAR5-path sibling of CVE-2023-40477 (which was fixed in the RAR3 path only in WinRAR 6.23). Fixed in WinRAR / RAR 7.23.

Metrics

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS Score: 7.8

Product Status

Vendor RARLAB
Product WinRAR
Versions Default: unaffected
  • affected from 0 to 7.23 (excl.)
Vendor RARLAB
Product RAR
Versions Default: unaffected
  • affected from 0 to 7.23 (excl.)
Vendor RARLAB
Product UnRAR
Versions Default: unaffected
  • affected from 0 to 7.21 (incl.)
Vendor RARLAB
Product UnRAR.dll
Versions Default: unaffected
  • affected from 0 to 7.23 (excl.)

Credits

  • Arjun Basnet from Securin finder

References

Problem Types

  • CWE-787 Out-of-bounds Write CWE
  • CWE-129 Improper Validation of Array Index CWE

Impacts

  • Overflow Buffers - a controlled out-of-bounds heap write with attacker-controlled offset and attacker-influenced value, giving a memory-corruption primitive that can be used to crash the process (verified DoS) and, per the reporter's assessment mirroring the RAR3 sibling CVE-2023-40477, can plausibly be leveraged toward remote code execution in the context of the current user. Code execution was not demonstrated by the reporter.