WinRAR patches a heap-overflow flaw in RAR5 recovery files
WinRAR 7.23, released June 30, 2026, fixes a heap-overflow flaw (CVE-2026-14191) in how the app repairs multi-volume RAR5 archives. The flaw needs a crafted .rev recovery-volume file plus a repair action to trigger, and WinRAR has no auto-update, so the fix only reaches you once you download 7.23 yourself.
Last reviewed: 2026-07-08
What happened
RARLAB shipped WinRAR 7.23 on June 30, 2026, closing a heap-overflow bug that researcher Arjun Basnet of Securin Labs reported in the code that rebuilds a damaged multi-volume archive from RAR5 recovery volumes (.rev files). A later .rev file in the set can declare a record number the code never checks against the buffer WinRAR already allocated, letting a crafted file write attacker-controlled data past the end of it. RARLAB calls it a variant of a 2023 flaw (CVE-2023-40477) that was patched only on the older RAR3 format at the time - RAR5 stayed exposed until this release. UnRAR.dll is not affected, since that library never processes recovery volumes; WinRAR, the standalone RAR/UnRAR command-line tools, and RAR for Android inherited the fix.
Triggering it takes more than opening a file: a target must run "Repair archive," an unrar t test, or the automatic recovery WinRAR attempts on an incomplete set, against an archive shipped with a booby-trapped .rev file. Severity sits at CVSS 7.8; trackers list no public exploit code or confirmed real-world use so far - unlike an older, patched WinRAR flaw that attackers kept exploiting for months because so many installs never got updated.
| Item | Detail |
|---|---|
| Affected | WinRAR, RAR, UnRAR command-line tools (through 7.22) |
| Not affected | UnRAR.dll (does not process recovery volumes) |
| Fixed in | WinRAR 7.23 (June 30, 2026) |
| Trigger | Repair or test operation on a crafted multi-volume RAR5 + .rev set |
Why it matters for everyday files
Recovery volumes are optional .rev files some archiving tools add so a multi-part RAR set can be rebuilt if a piece goes missing or gets corrupted. Most people never touch them directly, but they still travel inside old backup sets and archives someone else forwards to you. Filtering by file extension will not catch this: the payload lives inside a normal-looking .rev file, and a gateway checking only "is this a .zip or .rar" lets that sibling file through. WinRAR also has no auto-update, so a fix released today can sit unapplied indefinitely unless someone installs it by hand.
What to do with your files right now
- Update desktop WinRAR by hand. Check "About WinRAR" for your version, then download 7.23 or newer from the official site if you are behind - the fix will not arrive on its own.
- Skip repair on unexpected multi-volume sets. If a .rar/.r00/.rev bundle arrives from someone unexpected, do not run "Repair archive" or a recovery test on it until you can verify the sender.
- Use a browser tool for plain ZIP. Extracting or creating an archive - not repairing a damaged RAR set - works in the online unzip tool and online ZIP creator, no desktop install needed.
- Still need RAR or 7z? The extract-a-file routing guide covers the safest option per format; the archive format comparison explains why RAR needs a dedicated app and ZIP does not.
Sources
- RARLAB / win-rar.com - WinRAR 7.23 Final released (primary, June 30, 2026)
- CVE-2026-14191 vulnerability record - out-of-bounds heap write in the RAR5 recovery-volume parser
- Cyber Security News - WinRAR 7.23 Fixes Heap Overflow Vulnerability that Leads to Application Crashes
- Malwarebytes - WinRAR flaw could allow attackers to take control of your computer