PT-2026-54451 · Rarlab · Unrar+1

Arjun Basnet

·

Published

2026-07-01

·

Updated

2026-07-01

·

CVE-2026-14191

CVSS v3.1

7.8

High

VectorAV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions WinRAR versions prior to 7.23 UnRAR versions prior to 7.23
Description An out-of-bounds heap write exists in the RAR5 recovery-volume (.rev) parser within the RecVolumes5::ReadHeader function in recvol5.cpp. The issue occurs because the RecItems vector is sized only during the processing of the first .rev file in a set. Subsequent .rev files provide a RecNum value that is validated against the file's own TotalCount field but not against the actual size of RecItems. A crafted set of two or more .rev files allows an attacker to write a 32-bit value from the RevCRC field to RecItems[RecNum] at an offset up to 65534 * sizeof(RecVolItem) bytes beyond the allocation, leading to the corruption of adjacent heap objects. This can be triggered when a user performs a recovery or test operation on a malicious .rev set, such as using the 'Repair archive' feature in WinRAR or during auto-recovery when extracting a volume set with a missing .rar part.
Recommendations Update WinRAR to version 7.23 or later. Update UnRAR to version 7.23 or later.

Fix

Improper Validation of Array Index

Memory Corruption

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-14191

Affected Products

Unrar
Winrar