CVE-2026-14191
Last modified
CVE-2026-14191 is a high-severity vulnerability rated 7.8/10 on the CVSS scale. An out-of-bounds heap write exists in the RAR5 recovery-volume (.rev) parser in WinRAR and UnRAR (RecVolumes5::ReadHeader in recvol5.cpp). The RecItems vector is sized only when the first .rev file in a set is processed; subsequent .rev files supply an independent RecNum value that is validated against that file's own TotalCount field but never against the actual size of RecItems. EPSS estimates a 0.29% chance of exploitation in the next 30 days.
Description
An out-of-bounds heap write exists in the RAR5 recovery-volume (.rev) parser in WinRAR and UnRAR (RecVolumes5::ReadHeader in recvol5.cpp). The RecItems vector is sized only when the first .rev file in a set is processed; subsequent .rev files supply an independent RecNum value that is validated against that file's own TotalCount field but never against the actual size of RecItems. A crafted set of two or more .rev files can therefore write an attacker-controlled 32-bit value (the header's RevCRC field) to RecItems[RecNum] at an attacker-controlled offset up to 65534 * sizeof(RecVolItem) bytes past the allocation, corrupting adjacent heap objects. Triggering requires the victim to run a recovery/test operation on an attacker-supplied .rev set (for example 'unrar t x.part1.rev', WinRAR 'Repair archive', or auto-recovery when extracting a volume set with a missing .rar part). This is the RAR5-path sibling of CVE-2023-40477 (which was fixed in the RAR3 path only in WinRAR 6.23). Fixed in WinRAR / RAR 7.23.
Metrics
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
Source: CNA advisory (CVE.org). NVD analysis pending.
| Vendor | Product | Versions |
|---|---|---|
| RARLAB | WinRAR | < 7.23 |
| RARLAB | RAR | < 7.23 |
| RARLAB | UnRAR | <= 7.21 |
| RARLAB | UnRAR.dll | < 7.23 |
References
Timeline
- Published
- Last Modified
- Status
- Deferred
Frequently Asked Questions
What is CVE-2026-14191?
How severe is CVE-2026-14191?
How do I fix CVE-2026-14191?
Related CVEs from 2026
- CVE-2026-14164A double free issue has been identified in libarchive's RAR5…7.5
- CVE-2026-1417A weakness has been identified in GPAC up to 2.4.0. Affected…3.3
- CVE-2026-14178openGauss 在处理带 NLS 参数的 to_timestamp 调用时,to_timestamp_with_fm…5.9
- CVE-2026-1418A security vulnerability has been detected in GPAC up to 2.4…7.8
- CVE-2026-14181@fastify/middie versions 9.1.0 through 9.3.2 fail to guard t…7.5
- CVE-2026-1419A weakness has been identified in D-Link DCS700l 1.03.09. Af…7.2
- CVE-2026-14193DVP80ES300T with Improper Validation of Array Index Vulnerab…7.5
- CVE-2026-14198@fastify/middie versions 9.1.0 through 9.3.2 decode the enco…9.1
- CVE-2026-1420A flaw has been found in Tenda AC23 16.03.07.52. This impact…9.8
- CVE-2026-14209A vulnerability was discovered in Keycloak's Admin UI extens…4.3
- CVE-2026-1421A vulnerability has been found in code-projects Online Exami…5.4
- CVE-2026-1422A vulnerability was found in code-projects Online Examinatio…9.8
Are you affected by CVE-2026-14191?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST
