Skip to main content

WinRAR RAR5 Heap Overflow Enables Remote Code Execution via Malicious Recovery Volume Files (CVE-2026-14191)

Scope: WinRAR, Command-line RAR, and UnRAR (All Versions Prior to 7.23) on Windows, macOS, Linux, Android, and FreeBSD

Severity: High

A heap out-of-bounds write vulnerability (CVSS 7.8) in WinRAR's RAR5 recovery volume parser, discovered by Securin Labs researcher Arjun Basnet, allows an attacker to trigger memory corruption by crafting malicious .rev recovery volume files that cause WinRAR to write data past the end of an allocated buffer, potentially enabling arbitrary code execution when a victim opens a malicious archive, runs a repair operation, or visits a webpage that automatically triggers the recovery processing. WinRAR is installed on hundreds of millions of computers globally and lacks any automatic update mechanism, creating persistent enterprise exposure even when vendor patches are available, with Trend Micro confirming that old WinRAR vulnerabilities remain under active exploitation precisely because of this patching gap. Organizations must manually update WinRAR to version 7.23 across all endpoints immediately, deploy the update via third-party patch management tools in enterprise environments, and verify that any server-side workflows embedding UnRAR in email servers, backup systems, or file processing pipelines have also been updated.

The Uganda National CERT and Coordination Center (CERT.UG/CC) encourages users and administrators to review the recommendations and apply the necessary updates.