Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Local vector and UI:R because the victim must actively run a recovery/repair on the malicious .rev set; no attacker privileges (PR:N), with heap corruption yielding full C/I/A impact.
Primary rating from Vendor (securin).
CVSS VectorVendor: securin
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
An out-of-bounds heap write exists in the RAR5 recovery-volume (.rev) parser in WinRAR and UnRAR (RecVolumes5::ReadHeader in recvol5.cpp). The RecItems vector is sized only when the first .rev file in a set is processed; subsequent .rev files supply an independent RecNum value that is validated against that file's own TotalCount field but never against the actual size of RecItems. A crafted set of two or more .rev files can therefore write an attacker-controlled 32-bit value (the header's RevCRC field) to RecItems[RecNum] at an attacker-controlled offset up to 65534 * sizeof(RecVolItem) bytes past the allocation, corrupting adjacent heap objects. Triggering requires the victim to run a recovery/test operation on an attacker-supplied .rev set (for example 'unrar t x.part1.rev', WinRAR 'Repair archive', or auto-recovery when extracting a volume set with a missing .rar part). This is the RAR5-path sibling of CVE-2023-40477 (which was fixed in the RAR3 path only in WinRAR 6.23). Fixed in WinRAR / RAR 7.23.
AnalysisAI
Out-of-bounds heap write in the RAR5 recovery-volume (.rev) parser of WinRAR, RAR, UnRAR, and unrar.dll (versions before 7.23) lets an attacker corrupt heap memory when a victim runs a recovery, test, or repair operation on a crafted multi-file .rev set. Because subsequent .rev files supply a RecNum value validated only against their own TotalCount and never against the actual RecItems allocation, an attacker-controlled 32-bit value can be written far past the buffer, enabling memory corruption and potential code execution. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the victim to possess an attacker-supplied RAR5 recovery-volume set of two or more .rev files (the OOB write is triggered by the second and subsequent .rev files, whose RecNum is validated only against their own TotalCount) AND to actively perform a recovery/test/repair operation on it - specifically running 'unrar t' (or another test/recover command) on the .rev set, invoking WinRAR's 'Repair archive' function, or triggering auto-recovery by extracting a volume set that has a missing .rar part. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, base 7.8) accurately captures the shape: exploitation is local and requires user interaction (the victim must actively invoke a recovery/test/repair on the malicious .rev set), but needs no attacker privileges and yields high confidentiality, integrity, and availability impact via heap corruption. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker emails or hosts a multi-volume archive together with a crafted set of two or more .rev recovery files, or ships a volume set with a deliberately missing .rar part to trigger auto-recovery. When the victim attempts to repair or recover the archive (e.g. … |
| Remediation | Vendor-released patch: WinRAR / RAR / UnRAR 7.23, which fixes the RAR5 recovery-volume path (the RAR3 path was fixed earlier in 6.23 for CVE-2023-40477); upgrade all instances from https://www.rarlab.com/download.htm and rebuild or update any application that embeds unrar.dll to the 7.23 library. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems running WinRAR versions before 7.23 and notify users to cease recovery or repair operations on untrusted .rev files pending patching. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
WinRAR contains a directory traversal vulnerability (CVE-2025-6218, CVSS 7.8) enabling remote code execution when users
RARLAB WinRAR before 6.23 allows attackers to execute arbitrary code when a user attempts to view a benign file within a
RARLAB WinRAR before 7.00, on Windows, allows attackers to spoof the screen output via ANSI escape sequences, a differen
RARLAB WinRAR before 7.00, on Linux and UNIX platforms, allows attackers to spoof the screen output, or cause a denial o
WinRAR 5.61 contains a denial of service vulnerability that allows local attackers to crash the application by placing a
The file-execution functionality in WinRAR before 5.30 beta 5 allows local users to gain privileges via a Trojan horse f
Issue that bypasses the "Mark of the Web" security warning function for files when opening a symbolic link that points t
RARLAB WinRAR Mark-Of-The-Web Bypass Vulnerability. Rated medium severity (CVSS 4.3), this vulnerability is remotely exp
Cross-site scripting (XSS) vulnerability in the generate report functionality in Rarlab WinRAR 7.11, allows attackers to
WinRAR for Windows contains a path traversal vulnerability allowing crafted archives to execute arbitrary code, discover
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Memory Corruption
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40869
GHSA-5hjj-fvq6-8j36