Description
An out-of-bounds heap write exists in the RAR5 recovery-volume (.rev) parser in WinRAR and UnRAR (RecVolumes5::ReadHeader in recvol5.cpp). The RecItems vector is sized only when the first .rev file in a set is processed; subsequent .rev files supply an independent RecNum value that is validated against that file's own TotalCount field but never against the actual size of RecItems. A crafted set of two or more .rev files can therefore write an attacker-controlled 32-bit value (the header's RevCRC field) to RecItems[RecNum] at an attacker-controlled offset up to 65534 * sizeof(RecVolItem) bytes past the allocation, corrupting adjacent heap objects. Triggering requires the victim to run a recovery/test operation on an attacker-supplied .rev set (for example 'unrar t x.part1.rev', WinRAR 'Repair archive', or auto-recovery when extracting a volume set with a missing .rar part). This is the RAR5-path sibling of CVE-2023-40477 (which was fixed in the RAR3 path only in WinRAR 6.23). Fixed in WinRAR / RAR 7.23.
Published: 2026-07-01
Score: 7.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an out‑of‑bounds heap write triggered when processing RAR5 recovery‑volume (.rev) files in WinRAR and UnRAR. The RecItems array is sized only after the first .rev file, and subsequent .rev files can supply a RecNum that is validated only against that file’s TotalCount, not against the actual size of RecItems. An attacker can craft multiple .rev files that cause the parser to write a controlled 32‑bit value to RecItems[RecNum] far beyond the allocated memory, corrupting adjacent heap objects. The affected operation is a recovery or test function, which if compromised can lead to memory corruption, arbitrary code execution or a crash. The flaw maps to CWE‑129 and CWE‑787.

Affected Systems

RARLAB’s RAR utility, the UnRAR command‑line extractor, the UnRAR.dll component, and the WinRAR graphical archive manager are all affected. All builds released before the 7.23 update are vulnerable; those on version 7.23 or later contain the patch that prevents the out‑of‑bounds write. Users of earlier WinRAR or UnRAR releases that repeatedly run recovery or test operations on potentially malicious archives are at risk.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity level. Exploitation requires the victim to execute a recovery or test command on a malicious set of .rev files, meaning the attack is not purely remote but depends on user interaction or a compromised extraction workflow. Because the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, there is no current evidence of widespread exploitation, yet the potential for arbitrary code execution remains a serious concern for environments that routinely work with archive recovery operations. Administrators should treat this as a priority patching issue.

Generated by OpenCVE AI on July 1, 2026 at 08:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade all RARLAB RAR, UnRAR, UnRAR.dll and WinRAR installations to version 7.23 or later.
  • Restrict the use of the recovery, test, or repair functions to trusted archives, or disable them for untrusted input sources.
  • Validate and verify archive files using checksum or digital signatures before initiating any recovery or extraction operation.

Generated by OpenCVE AI on July 1, 2026 at 08:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 03:30:00 +0000

Type Values Removed Values Added
Description An out-of-bounds heap write exists in the RAR5 recovery-volume (.rev) parser in WinRAR and UnRAR (RecVolumes5::ReadHeader in recvol5.cpp). The RecItems vector is sized only when the first .rev file in a set is processed; subsequent .rev files supply an independent RecNum value that is validated against that file's own TotalCount field but never against the actual size of RecItems. A crafted set of two or more .rev files can therefore write an attacker-controlled 32-bit value (the header's RevCRC field) to RecItems[RecNum] at an attacker-controlled offset up to 65534 * sizeof(RecVolItem) bytes past the allocation, corrupting adjacent heap objects. Triggering requires the victim to run a recovery/test operation on an attacker-supplied .rev set (for example 'unrar t x.part1.rev', WinRAR 'Repair archive', or auto-recovery when extracting a volume set with a missing .rar part). This is the RAR5-path sibling of CVE-2023-40477 (which was fixed in the RAR3 path only in WinRAR 6.23). Fixed in WinRAR / RAR 7.23.
Title WinRAR / UnRAR RAR5 recovery-volume (.rev) out-of-bounds heap write in RecVolumes5::ReadHeader
Weaknesses CWE-129
CWE-787
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: securin

Published:

Updated: 2026-07-01T02:42:05.524Z

Reserved: 2026-06-30T08:32:07.249Z

Link: CVE-2026-14191

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T09:00:14Z

Weaknesses
  • CWE-129

    Improper Validation of Array Index

  • CWE-787

    Out-of-bounds Write