CVE-2026-14191
HighCVSS 7.8Exploitation Probability (EPSS)
Low risk20th percentile — higher than 20% of all known CVEs
Summary
An out-of-bounds heap write vulnerability exists in the RAR5 recovery-volume (.rev) parser in WinRAR and UnRAR. The RecItems vector is sized only for the first .rev file, and subsequent files can supply a RecNum value not validated against the actual vector size. An attacker can craft a set of .rev files to write a controlled 32-bit value past the allocated buffer, corrupting adjacent heap objects.
Risk Assessment
The risk includes potential remote code execution or program crash when a user opens a malicious archive. Exploitation requires user interaction (e.g., running a repair or test operation), but could lead to system compromise.
Recommendation
Immediately update WinRAR and UnRAR to version 7.23 or later. Avoid opening .rev files from untrusted sources and refrain from running recovery operations on suspicious archives.
Original NVD description (English source)
An out-of-bounds heap write exists in the RAR5 recovery-volume (.rev) parser in WinRAR and UnRAR (RecVolumes5::ReadHeader in recvol5.cpp). The RecItems vector is sized only when the first .rev file in a set is processed; subsequent .rev files supply an independent RecNum value that is validated against that file's own TotalCount field but never against the actual size of RecItems. A crafted set of two or more .rev files can therefore write an attacker-controlled 32-bit value (the header's RevCRC field) to RecItems[RecNum] at an attacker-controlled offset up to 65534 * sizeof(RecVolItem) bytes past the allocation, corrupting adjacent heap objects. Triggering requires the victim to run a recovery/test operation on an attacker-supplied .rev set (for example 'unrar t x.part1.rev', WinRAR 'Repair archive', or auto-recovery when extracting a volume set with a missing .rar part). This is the RAR5-path sibling of CVE-2023-40477 (which was fixed in the RAR3 path only in WinRAR 6.23). Fixed in WinRAR / RAR 7.23.

