Out-of-Bounds Heap Write in WinRAR Product by RARLab
CVE-2026-14191

7.8HIGH

Key Information:

Vendor

Rarlab

Status
Vendor
CVE Published:
1 July 2026

What is CVE-2026-14191?

A vulnerability exists within the RAR5 recovery-volume parser used in WinRAR and UnRAR, leading to potential heap corruption through crafted .rev files. This flaw stems from the incorrect validation of input that allows for manipulation of internal data structures, posing a risk when users perform recovery operations on specially designed .rev file sets. Successful exploitation could allow an attacker to overwrite memory at arbitrary locations within the heap, leading to serious security implications. This vulnerability was rectified in version 7.23.

Affected Version(s)

RAR Windows 0 < 7.23

UnRAR Windows 0 <= 7.21

UnRAR.dll Windows 0 < 7.23

References

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Arjun Basnet from Securin
.