WinRAR 7.23 Fixes RAR5 Recovery Volume Heap Overflow Vulnerability


WinRAR 7.23 fixes a heap overflow vulnerability in RAR5 recovery volume processing that can crash WinRAR, RAR, and UnRAR when they handle crafted .rev files.

The issue is tracked as CVE-2026-14191 and affects the RAR5 recovery-volume parser used during recovery or test operations. The NVD entry rates the vulnerability as high severity with a CVSS 3.1 score of 7.8 from the CNA.

RARLAB announced the fix with WinRAR 7.23, released on June 30, 2026. The update also fixes a symbolic link extraction issue and updates the bundled 7z extraction library.

What CVE-2026-14191 affects

CVE-2026-14191 affects recovery volume processing in WinRAR, RAR, and UnRAR. Recovery volumes use .rev files and help rebuild missing or damaged parts of multi-volume RAR archives.

The vulnerability sits in the RAR5 recovery-volume parser. According to the CVE record, a crafted set of two or more .rev files can trigger an out-of-bounds heap write during recovery or testing.

RARLAB says UnRAR.dll is not affected by this specific heap overflow because the library does not include recovery volume processing. That distinction matters for developers and products that embed UnRAR.dll for extraction only.

ItemDetails
CVECVE-2026-14191
Vulnerability typeOut-of-bounds heap write
Affected areaRAR5 recovery-volume .rev parser
Affected toolsWinRAR, RAR, and UnRAR
Not affected by this flawUnRAR.dll recovery-volume path, because it does not process recovery volumes
Fixed versionWinRAR and RAR 7.23

How the WinRAR heap overflow can be triggered

The flaw does not allow an attacker to compromise a system just by reaching it over the network. Exploitation requires a crafted recovery volume set and a user or automated process that performs a recovery, test, or related operation on those files.

In practical terms, an attacker would need to deliver malicious .rev files through phishing, file sharing, a download, or another archive distribution channel. The risk increases in environments that automatically process archives or recovery sets from untrusted sources.

Successful exploitation can corrupt heap memory and crash the affected application. The CVSS vector also gives the issue high confidentiality, integrity, and availability impact, which means defenders should not treat it as only a harmless crash bug.

  • Attackers need to provide crafted RAR5 recovery volume files.
  • The victim or a workflow must process the recovery volume set.
  • The most immediate visible impact may be an application crash.
  • The bug affects archive handling code that processes untrusted input.
  • Users should update WinRAR, RAR, and UnRAR to fixed releases.

The 7.23 update includes a second security fix involving symbolic links. RARLAB says a specially crafted RAR archive could create a symbolic link pointing outside the intended destination folder during extraction.

The WinRAR release notes say additional checks now prevent files from being placed through such links, even across multiple extraction commands.

This fix matters because path control during extraction remains a frequent target in archive utility attacks. A crafted archive that escapes the intended folder can create opportunities for file planting, persistence, or later code execution in some attack chains.

Fix in WinRAR 7.23Affected componentSecurity impact
RAR5 recovery volume heap overflowWinRAR, RAR, and UnRARPrevents crafted .rev files from corrupting heap memory during recovery processing
Symbolic link extraction hardeningWinRAR, RAR, UnRAR, and UnRAR.dll extraction workflowsBlocks symlink-based placement outside the intended extraction folder
7zxa.dll library update7z archive extraction supportAdds upstream 7-Zip bug and security fixes

7z extraction library updated to version 26.02

RARLAB also updated the bundled 7zxa.dll library to version 26.02. The library handles 7z archive extraction inside WinRAR.

The upstream 7-Zip 26.02 release notes are brief, but they state that some bugs and vulnerabilities were fixed. RARLAB says the updated library incorporates those bug and security fixes from 7-Zipโ€™s developer.

That makes the WinRAR 7.23 update broader than one CVE. Users also receive extraction hardening for 7z handling and symbolic link behavior.

Why archive utility patches matter

Archive tools often process files from email attachments, messaging apps, download portals, shared drives, malware sandboxes, and ticketing systems. That makes them a common point of contact with untrusted content.

Attackers have also shown long-term interest in WinRAR flaws. A Google Threat Intelligence report in January 2026 described widespread exploitation of the earlier CVE-2025-8088 WinRAR vulnerability by government-backed and financially motivated threat actors.

That earlier activity involved a different path traversal issue, not CVE-2026-14191. Still, it shows why organizations should patch archive utilities quickly instead of treating them as low-priority desktop tools.

  • Archive utilities often inspect files from untrusted sources.
  • Security tools, mail systems, and backup workflows may call extraction utilities automatically.
  • Old WinRAR vulnerabilities have appeared in real attack campaigns.
  • Users may keep outdated versions for years if updates are not centrally managed.
  • Patching archive tools reduces both crash risk and file-extraction abuse paths.

Who should update first

Home users should update WinRAR if they open RAR archives, repair damaged archives, or receive compressed files through email, messaging apps, or download sites.

Enterprises should prioritize systems that process files automatically. This includes mail gateways, help desk attachment pipelines, backup tools, file conversion services, malware analysis systems, and shared workstations used for document intake.

Developers should also check embedded RAR or UnRAR binaries. A server-side application can remain vulnerable even after desktop WinRAR installs receive the update.

EnvironmentRecommended action
Personal Windows PCsInstall WinRAR 7.23 or later from the official download page
Enterprise desktopsDeploy the update through patch management and confirm version coverage
Mail and file-processing systemsAudit RAR, UnRAR, and related extraction utilities used in automated workflows
Developers and vendorsReview bundled binaries and libraries in products that process archives
Security teamsMonitor suspicious .rev files and archive-repair operations from untrusted sources

How users can get the fixed version

Users should download the current build from the official RARLAB download page or the WinRAR website. They should avoid third-party download mirrors unless their organization already validates and repackages software internally.

After installation, users should check the version number and confirm they are running WinRAR 7.23 or later. Command-line RAR and UnRAR deployments should receive the same attention, especially on servers.

Organizations that package software internally should update deployment images, software catalogs, vulnerability scanners, and allowlists. Old portable copies can remain on file servers or technician toolkits long after the main application has been patched.

  • Install WinRAR 7.23 or later.
  • Update command-line RAR and UnRAR tools where used.
  • Search for old portable copies in shared folders and admin toolkits.
  • Block or quarantine suspicious .rev files from unknown sources when possible.
  • Limit automated recovery operations on untrusted RAR5 volume sets.
  • Keep archive utilities in normal patch management workflows.

What defenders should monitor

Security teams should look for unexpected RAR5 recovery volume files, especially when they arrive from email, public upload forms, ticket attachments, or external file sharing services.

The upstream 7-Zip release page also shows that archive tooling continues to receive security fixes. Teams should track these dependencies when they appear inside other products.

For context, the Google Threat Intelligence analysis of prior WinRAR exploitation warned that attackers continue to use patched archive vulnerabilities against slow-moving environments.

SignalWhy it matters
Unexpected .rev filesMay indicate delivery of crafted recovery volume sets
WinRAR or UnRAR crashesCan show archive parser instability after processing suspicious files
Archive repair events from unknown sourcesMay trigger vulnerable recovery-volume code in older builds
Old RAR or UnRAR binaries on serversCan leave automated file-processing workflows exposed
Third-party products bundling archive toolsMay require separate vendor updates or dependency replacement

The bottom line

WinRAR 7.23 is a security-focused maintenance release that fixes a high-severity RAR5 recovery volume heap overflow and strengthens extraction behavior.

The most urgent fix is CVE-2026-14191, which can corrupt heap memory when vulnerable tools process crafted .rev recovery volumes. The update also improves symlink handling and updates the bundled 7z extraction library.

Users and administrators should install the fixed version, update command-line tools, and check automated archive-processing workflows that may still rely on older RAR or UnRAR binaries from the official download channel.

FAQ

What does WinRAR 7.23 fix?

WinRAR 7.23 fixes a RAR5 recovery volume heap overflow vulnerability tracked as CVE-2026-14191. It also fixes a symbolic link extraction issue and updates the bundled 7zxa.dll extraction library to version 26.02.

What is CVE-2026-14191?

CVE-2026-14191 is an out-of-bounds heap write vulnerability in the RAR5 recovery-volume .rev parser used by WinRAR and related command-line tools. It can be triggered when a crafted recovery volume set is processed.

Does CVE-2026-14191 affect UnRAR.dll?

RARLAB says UnRAR.dll is not affected by this specific recovery-volume heap overflow because UnRAR.dll does not include recovery volume processing. WinRAR, RAR, and UnRAR are affected.

Can CVE-2026-14191 be exploited remotely?

The flaw is not a pure network remote exploit. The CVSS vector lists local attack vector and user interaction required because a victim or automated workflow must process a crafted RAR5 recovery volume set.

Who should update to WinRAR 7.23?

Anyone using WinRAR, RAR, or UnRAR should update, especially users and organizations that process archives from email, downloads, shared storage, ticketing systems, or automated file-processing workflows.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages