{"api_version":"1","generated_at":"2026-07-13T23:02:37+00:00","cve":"CVE-2026-14191","urls":{"html":"https://cve.report/CVE-2026-14191","api":"https://cve.report/api/cve/CVE-2026-14191.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-14191","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-14191"},"summary":{"title":"WinRAR / UnRAR RAR5 recovery-volume (.rev) out-of-bounds heap write in RecVolumes5::ReadHeader","description":"An out-of-bounds heap write exists in the RAR5 recovery-volume (.rev) parser in WinRAR and UnRAR (RecVolumes5::ReadHeader in recvol5.cpp). The RecItems vector is sized only when the first .rev file in a set is processed; subsequent .rev files supply an independent RecNum value that is validated against that file's own TotalCount field but never against the actual size of RecItems. A crafted set of two or more .rev files can therefore write an attacker-controlled 32-bit value (the header's RevCRC field) to RecItems[RecNum] at an attacker-controlled offset up to 65534 * sizeof(RecVolItem) bytes past the allocation, corrupting adjacent heap objects. Triggering requires the victim to run a recovery/test operation on an attacker-supplied .rev set (for example 'unrar t x.part1.rev', WinRAR 'Repair archive', or auto-recovery when extracting a volume set with a missing .rar part). This is the RAR5-path sibling of CVE-2023-40477 (which was fixed in the RAR3 path only in WinRAR 6.23). Fixed in WinRAR / RAR 7.23.","state":"PUBLISHED","assigner":"securin","published_at":"2026-07-01 04:16:58","updated_at":"2026-07-09 06:16:18"},"problem_types":["CWE-129","CWE-787","CWE-787 CWE-787 Out-of-bounds Write","CWE-129 CWE-129 Improper Validation of Array Index"],"metrics":[{"version":"3.1","source":"33c584b5-0579-4c06-b2a0-8d8329fcab9c","type":"Secondary","score":"7.8","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"7.8","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","data":{"baseScore":7.8,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","version":"3.1"}}],"references":[{"url":"https://www.rarlab.com/download.htm","name":"https://www.rarlab.com/download.htm","refsource":"33c584b5-0579-4c06-b2a0-8d8329fcab9c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-40477","name":"https://nvd.nist.gov/vuln/detail/CVE-2023-40477","refsource":"33c584b5-0579-4c06-b2a0-8d8329fcab9c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.securin.io/zero-days/cve-2026-14191-winrar-unrar-rar5-recovery-volume-rev-out-of-bounds-heap-write-in-recvolumes5-readheader","name":"https://www.securin.io/zero-days/cve-2026-14191-winrar-unrar-rar5-recovery-volume-rev-out-of-bounds-heap-write-in-recvolumes5-readheader","refsource":"33c584b5-0579-4c06-b2a0-8d8329fcab9c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-14191","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-14191","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"RARLAB","product":"WinRAR","version":"affected 7.23 custom","platforms":["Windows"]},{"source":"CNA","vendor":"RARLAB","product":"RAR","version":"affected 7.23 custom","platforms":["Windows","Linux","macOS"]},{"source":"CNA","vendor":"RARLAB","product":"UnRAR","version":"affected 7.21 custom","platforms":["Windows","Linux","macOS"]},{"source":"CNA","vendor":"RARLAB","product":"UnRAR.dll","version":"affected 7.23 custom","platforms":["Windows"]}],"timeline":[{"source":"CNA","time":"2026-06-03T02:08:00.000Z","lang":"en","value":"Vulnerability reported to RARLAB (Eugene Roshal) by Securin"},{"source":"CNA","time":"2026-06-03T20:01:00.000Z","lang":"en","value":"RARLAB confirmed the findings after independent source review"},{"source":"CNA","time":"2026-06-30T07:51:00.000Z","lang":"en","value":"WinRAR / RAR 7.23 released with .rev processing fix"},{"source":"CNA","time":"2026-06-30T00:00:00.000Z","lang":"en","value":"CVE-2026-14191 reserved by Securin CNA"}],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Arjun Basnet from Securin","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"14191","cve":"CVE-2026-14191","epss":"0.003060000","percentile":"0.224590000","score_date":"2026-07-12","updated_at":"2026-07-13 00:07:37"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-14191","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2026-07-01T13:07:23.906784Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-07-01T13:07:52.685Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","platforms":["Windows"],"product":"WinRAR","vendor":"RARLAB","versions":[{"lessThan":"7.23","status":"affected","version":"0","versionType":"custom"}]},{"defaultStatus":"unaffected","platforms":["Windows","Linux","macOS"],"product":"RAR","vendor":"RARLAB","versions":[{"lessThan":"7.23","status":"affected","version":"0","versionType":"custom"}]},{"defaultStatus":"unaffected","platforms":["Windows","Linux","macOS"],"product":"UnRAR","vendor":"RARLAB","versions":[{"lessThanOrEqual":"7.21","status":"affected","version":"0","versionType":"custom"}]},{"defaultStatus":"unaffected","platforms":["Windows"],"product":"UnRAR.dll","vendor":"RARLAB","versions":[{"lessThan":"7.23","status":"affected","version":"0","versionType":"custom"}]}],"credits":[{"lang":"en","type":"finder","value":"Arjun Basnet from Securin"}],"descriptions":[{"lang":"en","value":"An out-of-bounds heap write exists in the RAR5 recovery-volume (.rev) parser in WinRAR and UnRAR (RecVolumes5::ReadHeader in recvol5.cpp). The RecItems vector is sized only when the first .rev file in a set is processed; subsequent .rev files supply an independent RecNum value that is validated against that file's own TotalCount field but never against the actual size of RecItems. A crafted set of two or more .rev files can therefore write an attacker-controlled 32-bit value (the header's RevCRC field) to RecItems[RecNum] at an attacker-controlled offset up to 65534 * sizeof(RecVolItem) bytes past the allocation, corrupting adjacent heap objects. Triggering requires the victim to run a recovery/test operation on an attacker-supplied .rev set (for example 'unrar t x.part1.rev', WinRAR 'Repair archive', or auto-recovery when extracting a volume set with a missing .rar part). This is the RAR5-path sibling of CVE-2023-40477 (which was fixed in the RAR3 path only in WinRAR 6.23). Fixed in WinRAR / RAR 7.23."}],"impacts":[{"capecId":"CAPEC-100","descriptions":[{"lang":"en","value":"Overflow Buffers - a controlled out-of-bounds heap write with attacker-controlled offset and attacker-influenced value, giving a memory-corruption primitive that can be used to crash the process (verified DoS) and, per the reporter's assessment mirroring the RAR3 sibling CVE-2023-40477, can plausibly be leveraged toward remote code execution in the context of the current user. Code execution was not demonstrated by the reporter."}]}],"metrics":[{"cvssV3_1":{"baseScore":7.8,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-787","description":"CWE-787 Out-of-bounds Write","lang":"en","type":"CWE"},{"cweId":"CWE-129","description":"CWE-129 Improper Validation of Array Index","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-07-09T04:47:54.319Z","orgId":"33c584b5-0579-4c06-b2a0-8d8329fcab9c","shortName":"securin"},"references":[{"name":"WinRAR / RAR 7.23 download (fixed release, 2026-06-30)","tags":["patch","vendor-advisory"],"url":"https://www.rarlab.com/download.htm"},{"name":"CVE-2023-40477 - Sibling RAR3-path vulnerability fixed in WinRAR 6.23","tags":["related"],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-40477"},{"url":"https://www.securin.io/zero-days/cve-2026-14191-winrar-unrar-rar5-recovery-volume-rev-out-of-bounds-heap-write-in-recvolumes5-readheader"}],"source":{"discovery":"EXTERNAL"},"timeline":[{"lang":"en","time":"2026-06-03T02:08:00.000Z","value":"Vulnerability reported to RARLAB (Eugene Roshal) by Securin"},{"lang":"en","time":"2026-06-03T20:01:00.000Z","value":"RARLAB confirmed the findings after independent source review"},{"lang":"en","time":"2026-06-30T07:51:00.000Z","value":"WinRAR / RAR 7.23 released with .rev processing fix"},{"lang":"en","time":"2026-06-30T00:00:00.000Z","value":"CVE-2026-14191 reserved by Securin CNA"}],"title":"WinRAR / UnRAR RAR5 recovery-volume (.rev) out-of-bounds heap write in RecVolumes5::ReadHeader"}},"cveMetadata":{"assignerOrgId":"33c584b5-0579-4c06-b2a0-8d8329fcab9c","assignerShortName":"securin","cveId":"CVE-2026-14191","datePublished":"2026-07-01T02:41:39.316Z","dateReserved":"2026-06-30T08:32:07.249Z","dateUpdated":"2026-07-09T04:47:54.319Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-07-01 04:16:58","lastModifiedDate":"2026-07-09 06:16:18","problem_types":["CWE-129","CWE-787","CWE-787 CWE-787 Out-of-bounds Write","CWE-129 CWE-129 Improper Validation of Array Index"],"metrics":{"cvssMetricV31":[{"source":"33c584b5-0579-4c06-b2a0-8d8329fcab9c","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-07-01T13:07:23.906784Z","id":"CVE-2026-14191","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"14191","Ordinal":"1","Title":"WinRAR / UnRAR RAR5 recovery-volume (.rev) out-of-bounds heap wr","CVE":"CVE-2026-14191","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"14191","Ordinal":"1","NoteData":"An out-of-bounds heap write exists in the RAR5 recovery-volume (.rev) parser in WinRAR and UnRAR (RecVolumes5::ReadHeader in recvol5.cpp). The RecItems vector is sized only when the first .rev file in a set is processed; subsequent .rev files supply an independent RecNum value that is validated against that file's own TotalCount field but never against the actual size of RecItems. A crafted set of two or more .rev files can therefore write an attacker-controlled 32-bit value (the header's RevCRC field) to RecItems[RecNum] at an attacker-controlled offset up to 65534 * sizeof(RecVolItem) bytes past the allocation, corrupting adjacent heap objects. Triggering requires the victim to run a recovery/test operation on an attacker-supplied .rev set (for example 'unrar t x.part1.rev', WinRAR 'Repair archive', or auto-recovery when extracting a volume set with a missing .rar part). This is the RAR5-path sibling of CVE-2023-40477 (which was fixed in the RAR3 path only in WinRAR 6.23). Fixed in WinRAR / RAR 7.23.","Type":"Description","Title":"WinRAR / UnRAR RAR5 recovery-volume (.rev) out-of-bounds heap wr"}]}}}