PT-2026-54451 · Rarlab · Unrar+1
Arjun Basnet
·
Published
2026-07-01
·
Updated
2026-07-01
·
CVE-2026-14191
CVSS v3.1
7.8
High
| Vector | AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
WinRAR versions prior to 7.23
UnRAR versions prior to 7.23
Description
An out-of-bounds heap write exists in the RAR5 recovery-volume (.rev) parser within the
RecVolumes5::ReadHeader function in recvol5.cpp. The issue occurs because the RecItems vector is sized only during the processing of the first .rev file in a set. Subsequent .rev files provide a RecNum value that is validated against the file's own TotalCount field but not against the actual size of RecItems. A crafted set of two or more .rev files allows an attacker to write a 32-bit value from the RevCRC field to RecItems[RecNum] at an offset up to 65534 * sizeof(RecVolItem) bytes beyond the allocation, leading to the corruption of adjacent heap objects. This can be triggered when a user performs a recovery or test operation on a malicious .rev set, such as using the 'Repair archive' feature in WinRAR or during auto-recovery when extracting a volume set with a missing .rar part.Recommendations
Update WinRAR to version 7.23 or later.
Update UnRAR to version 7.23 or later.
Fix
Improper Validation of Array Index
Memory Corruption
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Unrar
Winrar