WinRAR 7.23 Fixes RAR5 Recovery Volume Heap Overflow Vulnerability
WinRAR 7.23 fixes a heap overflow vulnerability in RAR5 recovery volume processing that can crash WinRAR, RAR, and UnRAR when they handle crafted .rev files.
The issue is tracked as CVE-2026-14191 and affects the RAR5 recovery-volume parser used during recovery or test operations. The NVD entry rates the vulnerability as high severity with a CVSS 3.1 score of 7.8 from the CNA.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
RARLAB announced the fix with WinRAR 7.23, released on June 30, 2026. The update also fixes a symbolic link extraction issue and updates the bundled 7z extraction library.
What CVE-2026-14191 affects
CVE-2026-14191 affects recovery volume processing in WinRAR, RAR, and UnRAR. Recovery volumes use .rev files and help rebuild missing or damaged parts of multi-volume RAR archives.
The vulnerability sits in the RAR5 recovery-volume parser. According to the CVE record, a crafted set of two or more .rev files can trigger an out-of-bounds heap write during recovery or testing.
RARLAB says UnRAR.dll is not affected by this specific heap overflow because the library does not include recovery volume processing. That distinction matters for developers and products that embed UnRAR.dll for extraction only.
| Item | Details |
|---|---|
| CVE | CVE-2026-14191 |
| Vulnerability type | Out-of-bounds heap write |
| Affected area | RAR5 recovery-volume .rev parser |
| Affected tools | WinRAR, RAR, and UnRAR |
| Not affected by this flaw | UnRAR.dll recovery-volume path, because it does not process recovery volumes |
| Fixed version | WinRAR and RAR 7.23 |
How the WinRAR heap overflow can be triggered
The flaw does not allow an attacker to compromise a system just by reaching it over the network. Exploitation requires a crafted recovery volume set and a user or automated process that performs a recovery, test, or related operation on those files.
In practical terms, an attacker would need to deliver malicious .rev files through phishing, file sharing, a download, or another archive distribution channel. The risk increases in environments that automatically process archives or recovery sets from untrusted sources.
Successful exploitation can corrupt heap memory and crash the affected application. The CVSS vector also gives the issue high confidentiality, integrity, and availability impact, which means defenders should not treat it as only a harmless crash bug.
- Attackers need to provide crafted RAR5 recovery volume files.
- The victim or a workflow must process the recovery volume set.
- The most immediate visible impact may be an application crash.
- The bug affects archive handling code that processes untrusted input.
- Users should update WinRAR, RAR, and UnRAR to fixed releases.
WinRAR 7.23 also fixes symlink extraction risk
The 7.23 update includes a second security fix involving symbolic links. RARLAB says a specially crafted RAR archive could create a symbolic link pointing outside the intended destination folder during extraction.
The WinRAR release notes say additional checks now prevent files from being placed through such links, even across multiple extraction commands.
This fix matters because path control during extraction remains a frequent target in archive utility attacks. A crafted archive that escapes the intended folder can create opportunities for file planting, persistence, or later code execution in some attack chains.
| Fix in WinRAR 7.23 | Affected component | Security impact |
|---|---|---|
| RAR5 recovery volume heap overflow | WinRAR, RAR, and UnRAR | Prevents crafted .rev files from corrupting heap memory during recovery processing |
| Symbolic link extraction hardening | WinRAR, RAR, UnRAR, and UnRAR.dll extraction workflows | Blocks symlink-based placement outside the intended extraction folder |
| 7zxa.dll library update | 7z archive extraction support | Adds upstream 7-Zip bug and security fixes |
7z extraction library updated to version 26.02
RARLAB also updated the bundled 7zxa.dll library to version 26.02. The library handles 7z archive extraction inside WinRAR.
The upstream 7-Zip 26.02 release notes are brief, but they state that some bugs and vulnerabilities were fixed. RARLAB says the updated library incorporates those bug and security fixes from 7-Zipโs developer.
That makes the WinRAR 7.23 update broader than one CVE. Users also receive extraction hardening for 7z handling and symbolic link behavior.
Why archive utility patches matter
Archive tools often process files from email attachments, messaging apps, download portals, shared drives, malware sandboxes, and ticketing systems. That makes them a common point of contact with untrusted content.
Attackers have also shown long-term interest in WinRAR flaws. A Google Threat Intelligence report in January 2026 described widespread exploitation of the earlier CVE-2025-8088 WinRAR vulnerability by government-backed and financially motivated threat actors.
That earlier activity involved a different path traversal issue, not CVE-2026-14191. Still, it shows why organizations should patch archive utilities quickly instead of treating them as low-priority desktop tools.
- Archive utilities often inspect files from untrusted sources.
- Security tools, mail systems, and backup workflows may call extraction utilities automatically.
- Old WinRAR vulnerabilities have appeared in real attack campaigns.
- Users may keep outdated versions for years if updates are not centrally managed.
- Patching archive tools reduces both crash risk and file-extraction abuse paths.
Who should update first
Home users should update WinRAR if they open RAR archives, repair damaged archives, or receive compressed files through email, messaging apps, or download sites.
Enterprises should prioritize systems that process files automatically. This includes mail gateways, help desk attachment pipelines, backup tools, file conversion services, malware analysis systems, and shared workstations used for document intake.
Developers should also check embedded RAR or UnRAR binaries. A server-side application can remain vulnerable even after desktop WinRAR installs receive the update.
| Environment | Recommended action |
|---|---|
| Personal Windows PCs | Install WinRAR 7.23 or later from the official download page |
| Enterprise desktops | Deploy the update through patch management and confirm version coverage |
| Mail and file-processing systems | Audit RAR, UnRAR, and related extraction utilities used in automated workflows |
| Developers and vendors | Review bundled binaries and libraries in products that process archives |
| Security teams | Monitor suspicious .rev files and archive-repair operations from untrusted sources |
How users can get the fixed version
Users should download the current build from the official RARLAB download page or the WinRAR website. They should avoid third-party download mirrors unless their organization already validates and repackages software internally.
After installation, users should check the version number and confirm they are running WinRAR 7.23 or later. Command-line RAR and UnRAR deployments should receive the same attention, especially on servers.
Organizations that package software internally should update deployment images, software catalogs, vulnerability scanners, and allowlists. Old portable copies can remain on file servers or technician toolkits long after the main application has been patched.
- Install WinRAR 7.23 or later.
- Update command-line RAR and UnRAR tools where used.
- Search for old portable copies in shared folders and admin toolkits.
- Block or quarantine suspicious .rev files from unknown sources when possible.
- Limit automated recovery operations on untrusted RAR5 volume sets.
- Keep archive utilities in normal patch management workflows.
What defenders should monitor
Security teams should look for unexpected RAR5 recovery volume files, especially when they arrive from email, public upload forms, ticket attachments, or external file sharing services.
The upstream 7-Zip release page also shows that archive tooling continues to receive security fixes. Teams should track these dependencies when they appear inside other products.
For context, the Google Threat Intelligence analysis of prior WinRAR exploitation warned that attackers continue to use patched archive vulnerabilities against slow-moving environments.
| Signal | Why it matters |
|---|---|
| Unexpected .rev files | May indicate delivery of crafted recovery volume sets |
| WinRAR or UnRAR crashes | Can show archive parser instability after processing suspicious files |
| Archive repair events from unknown sources | May trigger vulnerable recovery-volume code in older builds |
| Old RAR or UnRAR binaries on servers | Can leave automated file-processing workflows exposed |
| Third-party products bundling archive tools | May require separate vendor updates or dependency replacement |
The bottom line
WinRAR 7.23 is a security-focused maintenance release that fixes a high-severity RAR5 recovery volume heap overflow and strengthens extraction behavior.
The most urgent fix is CVE-2026-14191, which can corrupt heap memory when vulnerable tools process crafted .rev recovery volumes. The update also improves symlink handling and updates the bundled 7z extraction library.
Users and administrators should install the fixed version, update command-line tools, and check automated archive-processing workflows that may still rely on older RAR or UnRAR binaries from the official download channel.
FAQ
WinRAR 7.23 fixes a RAR5 recovery volume heap overflow vulnerability tracked as CVE-2026-14191. It also fixes a symbolic link extraction issue and updates the bundled 7zxa.dll extraction library to version 26.02.
CVE-2026-14191 is an out-of-bounds heap write vulnerability in the RAR5 recovery-volume .rev parser used by WinRAR and related command-line tools. It can be triggered when a crafted recovery volume set is processed.
RARLAB says UnRAR.dll is not affected by this specific recovery-volume heap overflow because UnRAR.dll does not include recovery volume processing. WinRAR, RAR, and UnRAR are affected.
The flaw is not a pure network remote exploit. The CVSS vector lists local attack vector and user interaction required because a victim or automated workflow must process a crafted RAR5 recovery volume set.
Anyone using WinRAR, RAR, or UnRAR should update, especially users and organizations that process archives from email, downloads, shared storage, ticketing systems, or automated file-processing workflows.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages