Skip to main content

WinRAR EUVDEUVD-2026-40869

| CVE-2026-14191 HIGH
Out-of-bounds Write (CWE-787)
2026-07-01 securin GHSA-5hjj-fvq6-8j36
7.8
CVSS 3.1 · Vendor: securin
Share

Severity by source

Vendor (securin) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Local vector and UI:R because the victim must actively run a recovery/repair on the malicious .rev set; no attacker privileges (PR:N), with heap corruption yielding full C/I/A impact.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (securin).

CVSS VectorVendor: securin

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 01, 2026 - 03:45 vuln.today

DescriptionCVE.org

An out-of-bounds heap write exists in the RAR5 recovery-volume (.rev) parser in WinRAR and UnRAR (RecVolumes5::ReadHeader in recvol5.cpp). The RecItems vector is sized only when the first .rev file in a set is processed; subsequent .rev files supply an independent RecNum value that is validated against that file's own TotalCount field but never against the actual size of RecItems. A crafted set of two or more .rev files can therefore write an attacker-controlled 32-bit value (the header's RevCRC field) to RecItems[RecNum] at an attacker-controlled offset up to 65534 * sizeof(RecVolItem) bytes past the allocation, corrupting adjacent heap objects. Triggering requires the victim to run a recovery/test operation on an attacker-supplied .rev set (for example 'unrar t x.part1.rev', WinRAR 'Repair archive', or auto-recovery when extracting a volume set with a missing .rar part). This is the RAR5-path sibling of CVE-2023-40477 (which was fixed in the RAR3 path only in WinRAR 6.23). Fixed in WinRAR / RAR 7.23.

AnalysisAI

Out-of-bounds heap write in the RAR5 recovery-volume (.rev) parser of WinRAR, RAR, UnRAR, and unrar.dll (versions before 7.23) lets an attacker corrupt heap memory when a victim runs a recovery, test, or repair operation on a crafted multi-file .rev set. Because subsequent .rev files supply a RecNum value validated only against their own TotalCount and never against the actual RecItems allocation, an attacker-controlled 32-bit value can be written far past the buffer, enabling memory corruption and potential code execution. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Deliver crafted multi-file .rev set
Delivery
Victim runs repair/test/recovery operation
Exploit
RecNum bypasses RecItems bounds check
Execution
Write RevCRC value past heap buffer
Persist
Corrupt adjacent heap objects
Impact
Achieve code execution as user

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to possess an attacker-supplied RAR5 recovery-volume set of two or more .rev files (the OOB write is triggered by the second and subsequent .rev files, whose RecNum is validated only against their own TotalCount) AND to actively perform a recovery/test/repair operation on it - specifically running 'unrar t' (or another test/recover command) on the .rev set, invoking WinRAR's 'Repair archive' function, or triggering auto-recovery by extracting a volume set that has a missing .rar part. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, base 7.8) accurately captures the shape: exploitation is local and requires user interaction (the victim must actively invoke a recovery/test/repair on the malicious .rev set), but needs no attacker privileges and yields high confidentiality, integrity, and availability impact via heap corruption. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker emails or hosts a multi-volume archive together with a crafted set of two or more .rev recovery files, or ships a volume set with a deliberately missing .rar part to trigger auto-recovery. When the victim attempts to repair or recover the archive (e.g. …
Remediation Vendor-released patch: WinRAR / RAR / UnRAR 7.23, which fixes the RAR5 recovery-volume path (the RAR3 path was fixed earlier in 6.23 for CVE-2023-40477); upgrade all instances from https://www.rarlab.com/download.htm and rebuild or update any application that embeds unrar.dll to the 7.23 library. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running WinRAR versions before 7.23 and notify users to cease recovery or repair operations on untrusted .rev files pending patching. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Winrar

View all
CVE-2025-6218 HIGH POC
7.8 Jun 21

WinRAR contains a directory traversal vulnerability (CVE-2025-6218, CVSS 7.8) enabling remote code execution when users

CVE-2023-38831 HIGH POC
7.8 Aug 23

RARLAB WinRAR before 6.23 allows attackers to execute arbitrary code when a user attempts to view a benign file within a

CVE-2024-36052 HIGH POC
7.5 May 21

RARLAB WinRAR before 7.00, on Windows, allows attackers to spoof the screen output via ANSI escape sequences, a differen

CVE-2024-33899 HIGH POC
7.1 Apr 29

RARLAB WinRAR before 7.00, on Linux and UNIX platforms, allows attackers to spoof the screen output, or cause a denial o

CVE-2019-25677 MEDIUM POC
6.9 Apr 05

WinRAR 5.61 contains a denial of service vulnerability that allows local attackers to crash the application by placing a

CVE-2015-5663 HIGH
7.4 Dec 30

The file-execution functionality in WinRAR before 5.30 beta 5 allows local users to gain privileges via a Trojan horse f

CVE-2025-31334 MEDIUM
6.8 Apr 03

Issue that bypasses the "Mark of the Web" security warning function for files when opening a symbolic link that points t

CVE-2024-30370 MEDIUM
4.3 Apr 02

RARLAB WinRAR Mark-Of-The-Web Bypass Vulnerability. Rated medium severity (CVSS 4.3), this vulnerability is remotely exp

CVE-2025-52331 MEDIUM
6.1 Nov 12

Cross-site scripting (XSS) vulnerability in the generate report functionality in Rarlab WinRAR 7.11, allows attackers to

CVE-2025-8088 HIGH
8.4 Aug 08

WinRAR for Windows contains a path traversal vulnerability allowing crafted archives to execute arbitrary code, discover

Share

EUVD-2026-40869 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy