WinRAR / UnRAR RAR5 recovery-volume (.rev) out-of-bounds heap write in RecVolumes5::ReadHeader
Summary
| CVE | CVE-2026-14191 |
|---|---|
| State | PUBLISHED |
| Assigner | securin |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-07-01 04:16:58 UTC |
| Updated | 2026-07-09 06:16:18 UTC |
| Description | An out-of-bounds heap write exists in the RAR5 recovery-volume (.rev) parser in WinRAR and UnRAR (RecVolumes5::ReadHeader in recvol5.cpp). The RecItems vector is sized only when the first .rev file in a set is processed; subsequent .rev files supply an independent RecNum value that is validated against that file's own TotalCount field but never against the actual size of RecItems. A crafted set of two or more .rev files can therefore write an attacker-controlled 32-bit value (the header's RevCRC field) to RecItems[RecNum] at an attacker-controlled offset up to 65534 * sizeof(RecVolItem) bytes past the allocation, corrupting adjacent heap objects. Triggering requires the victim to run a recovery/test operation on an attacker-supplied .rev set (for example 'unrar t x.part1.rev', WinRAR 'Repair archive', or auto-recovery when extracting a volume set with a missing .rar part). This is the RAR5-path sibling of CVE-2023-40477 (which was fixed in the RAR3 path only in WinRAR 6.23). Fixed in WinRAR / RAR 7.23. |
Risk And Classification
Primary CVSS: v3.1 7.8 HIGH from 33c584b5-0579-4c06-b2a0-8d8329fcab9c
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS: 0.003060000 probability, percentile 0.224590000 (date 2026-07-12)
Problem Types: CWE-129 | CWE-787 | CWE-787 CWE-787 Out-of-bounds Write | CWE-129 CWE-129 Improper Validation of Array Index
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | 33c584b5-0579-4c06-b2a0-8d8329fcab9c | Secondary | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| 3.1 | CNA | CVSS | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
CVSS v3.1 Breakdown
Attack Vector
LocalAttack Complexity
LowPrivileges Required
NoneUser Interaction
RequiredScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| www.rarlab.com/download.htm | 33c584b5-0579-4c06-b2a0-8d8329fcab9c | www.rarlab.com | |
| nvd.nist.gov/vuln/detail/CVE-2023-40477 | 33c584b5-0579-4c06-b2a0-8d8329fcab9c | nvd.nist.gov | |
| www.securin.io/zero-days/cve-2026-14191-winrar-unrar-rar5-recovery-volume-re... | 33c584b5-0579-4c06-b2a0-8d8329fcab9c | www.securin.io | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Arjun Basnet from Securin (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| CNA | 2026-06-03T02:08:00.000Z | Vulnerability reported to RARLAB (Eugene Roshal) by Securin |
| CNA | 2026-06-03T20:01:00.000Z | RARLAB confirmed the findings after independent source review |
| CNA | 2026-06-30T07:51:00.000Z | WinRAR / RAR 7.23 released with .rev processing fix |
| CNA | 2026-06-30T00:00:00.000Z | CVE-2026-14191 reserved by Securin CNA |
There are currently no legacy QID mappings associated with this CVE.