Impact
The vulnerability is an out‑of‑bounds heap write triggered when processing RAR5 recovery‑volume (.rev) files in WinRAR and UnRAR. The RecItems array is sized only after the first .rev file, and subsequent .rev files can supply a RecNum that is validated only against that file’s TotalCount, not against the actual size of RecItems. An attacker can craft multiple .rev files that cause the parser to write a controlled 32‑bit value to RecItems[RecNum] far beyond the allocated memory, corrupting adjacent heap objects. The affected operation is a recovery or test function, which if compromised can lead to memory corruption, arbitrary code execution or a crash. The flaw maps to CWE‑129 and CWE‑787.
Affected Systems
RARLAB’s RAR utility, the UnRAR command‑line extractor, the UnRAR.dll component, and the WinRAR graphical archive manager are all affected. All builds released before the 7.23 update are vulnerable; those on version 7.23 or later contain the patch that prevents the out‑of‑bounds write. Users of earlier WinRAR or UnRAR releases that repeatedly run recovery or test operations on potentially malicious archives are at risk.
Risk and Exploitability
The CVSS score of 7.8 indicates a high severity level. Exploitation requires the victim to execute a recovery or test command on a malicious set of .rev files, meaning the attack is not purely remote but depends on user interaction or a compromised extraction workflow. Because the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, there is no current evidence of widespread exploitation, yet the potential for arbitrary code execution remains a serious concern for environments that routinely work with archive recovery operations. Administrators should treat this as a priority patching issue.
OpenCVE Enrichment