CVE-2026-14191 Overview
CVE-2026-14191 is an out-of-bounds heap write in the RAR5 recovery-volume (.rev) parser used by WinRAR and UnRAR. The flaw resides in RecVolumes5::ReadHeader inside recvol5.cpp. A crafted set of two or more .rev files can write an attacker-controlled 32-bit value to RecItems[RecNum] at an offset up to 65534 * sizeof(RecVolItem) bytes beyond the allocation, corrupting adjacent heap objects. The issue is the RAR5-path sibling of CVE-2023-40477, which was patched only in the RAR3 path in WinRAR 6.23. The vulnerability is fixed in WinRAR / RAR 7.23.
Critical Impact
A user who runs a recovery or test operation on an attacker-supplied .rev set can trigger heap corruption leading to arbitrary code execution in the context of the current user.
Affected Products
- WinRAR versions prior to 7.23
- UnRAR (command-line) versions prior to 7.23
- Any third-party product embedding vulnerable UnRAR source using the RAR5 recovery-volume parser
Discovery Timeline
- 2026-07-01 - CVE-2026-14191 published to the National Vulnerability Database (NVD)
- 2026-07-02 - Last updated in NVD database
Technical Details for CVE-2026-14191
Vulnerability Analysis
The flaw is a classic improper validation of array index [CWE-129] in the RAR5 recovery-volume parser. WinRAR and UnRAR use .rev files to reconstruct missing volumes in a multi-part RAR archive. When the parser processes the first .rev file in a set, it allocates the RecItems vector and sizes it based on that file's TotalCount field.
Each subsequent .rev file supplies its own RecNum value in the header. The parser validates RecNum only against the current file's TotalCount field, not against the actual allocated size of RecItems. An attacker who controls the headers across the .rev set can therefore make RecNum point far beyond the vector allocation.
When the parser stores the header's RevCRC field into RecItems[RecNum], it performs a 4-byte write at an attacker-chosen offset up to 65534 * sizeof(RecVolItem) bytes past the buffer. This primitive is sufficient to corrupt adjacent heap metadata and function pointers, enabling reliable code execution.
Root Cause
The root cause is a missing consistency check between the RecNum index supplied by later .rev files and the RecItems vector size established by the first file. The parser trusts the per-file TotalCount bound instead of the actual container capacity. This mirrors the RAR3 defect fixed in CVE-2023-40477, which was never propagated to the RAR5 code path in recvol5.cpp.
Attack Vector
Exploitation requires local user interaction. The victim must run a recovery or test operation against a malicious .rev set, such as unrar t x.part1.rev, the WinRAR Repair archive action, or automatic recovery triggered when extracting a volume set with a missing .rar part. Delivery typically occurs through phishing email attachments, drive-by downloads, or file-sharing platforms where users obtain archives containing crafted recovery volumes.
No authenticated network access is required. Successful exploitation yields code execution at the privilege level of the user who initiated the recovery operation.
Detection Methods for CVE-2026-14191
Indicators of Compromise
- Presence of multiple .rev files in an archive set delivered from untrusted sources, particularly where a .rar part is conveniently missing
- WinRAR or unrar processes spawning unexpected child processes such as cmd.exe, powershell.exe, or scripting hosts
- Crash reports or Windows Error Reporting entries referencing WinRAR.exe or UnRAR.exe with access violations in heap regions during archive repair operations
Detection Strategies
- Hunt for command-line invocations of unrar t, unrar x, or WinRAR.exe with arguments referencing .rev files from user download or temporary directories
- Alert on file-write events creating .rev files followed by immediate execution of a WinRAR-family process by the same user session
- Monitor for anomalous parent-child process chains where WinRAR or UnRAR spawns interactive shells, LOLBins, or network-capable binaries
Monitoring Recommendations
- Enable EDR memory-integrity telemetry on endpoints that routinely handle third-party archives, and forward the events to a centralized data lake for correlation
- Track installed WinRAR versions across the fleet and flag any host running a build earlier than 7.23
- Correlate email-gateway attachment metadata with endpoint archive-extraction events to identify inbound .rev payloads
How to Mitigate CVE-2026-14191
Immediate Actions Required
- Upgrade all WinRAR and UnRAR installations to version 7.23 or later
- Inventory third-party applications that embed the UnRAR source and confirm they have rebuilt against the fixed release
- Advise users to avoid running Repair archive or Test operations on archives from untrusted senders
Patch Information
RAR Lab released WinRAR / RAR 7.23, which corrects the bounds check in RecVolumes5::ReadHeader so RecNum is validated against the allocated size of RecItems. Download the fixed build from the WinRAR Download Page. Background on the related RAR3 defect is available at the NVD entry for CVE-2023-40477.
Workarounds
- Block inbound email attachments and web downloads containing .rev files at the perimeter until patching is complete
- Remove or restrict access to WinRAR's Repair archive menu via application control policies where feasible
- Use application allowlisting to prevent WinRAR.exe and UnRAR.exe from spawning shells or scripting interpreters as a defense-in-depth measure
# Verify installed UnRAR version on Linux/macOS hosts
unrar | head -n 2
# Windows: query the installed WinRAR version from the registry
reg query "HKLM\SOFTWARE\WinRAR" /v "Version"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

