Initializing, please wait a moment

WinRAR patches a heap-overflow flaw in RAR5 recovery files

WinRAR 7.23, released June 30, 2026, fixes a heap-overflow flaw (CVE-2026-14191) in how the app repairs multi-volume RAR5 archives. The flaw needs a crafted .rev recovery-volume file plus a repair action to trigger, and WinRAR has no auto-update, so the fix only reaches you once you download 7.23 yourself.

Last reviewed: 2026-07-08



What happened

RARLAB shipped WinRAR 7.23 on June 30, 2026, closing a heap-overflow bug that researcher Arjun Basnet of Securin Labs reported in the code that rebuilds a damaged multi-volume archive from RAR5 recovery volumes (.rev files). A later .rev file in the set can declare a record number the code never checks against the buffer WinRAR already allocated, letting a crafted file write attacker-controlled data past the end of it. RARLAB calls it a variant of a 2023 flaw (CVE-2023-40477) that was patched only on the older RAR3 format at the time - RAR5 stayed exposed until this release. UnRAR.dll is not affected, since that library never processes recovery volumes; WinRAR, the standalone RAR/UnRAR command-line tools, and RAR for Android inherited the fix.

Triggering it takes more than opening a file: a target must run "Repair archive," an unrar t test, or the automatic recovery WinRAR attempts on an incomplete set, against an archive shipped with a booby-trapped .rev file. Severity sits at CVSS 7.8; trackers list no public exploit code or confirmed real-world use so far - unlike an older, patched WinRAR flaw that attackers kept exploiting for months because so many installs never got updated.

ItemDetail
AffectedWinRAR, RAR, UnRAR command-line tools (through 7.22)
Not affectedUnRAR.dll (does not process recovery volumes)
Fixed inWinRAR 7.23 (June 30, 2026)
TriggerRepair or test operation on a crafted multi-volume RAR5 + .rev set
Check the four aspects of the RAR5 recovery flaw: affected versions, not affected, fix in WinRAR 7.23, and trigger.
Four aspects of the RAR5 recovery flaw at a glance.

Why it matters for everyday files

Recovery volumes are optional .rev files some archiving tools add so a multi-part RAR set can be rebuilt if a piece goes missing or gets corrupted. Most people never touch them directly, but they still travel inside old backup sets and archives someone else forwards to you. Filtering by file extension will not catch this: the payload lives inside a normal-looking .rev file, and a gateway checking only "is this a .zip or .rar" lets that sibling file through. WinRAR also has no auto-update, so a fix released today can sit unapplied indefinitely unless someone installs it by hand.


What to do with your files right now

  • Update desktop WinRAR by hand. Check "About WinRAR" for your version, then download 7.23 or newer from the official site if you are behind - the fix will not arrive on its own.
  • Skip repair on unexpected multi-volume sets. If a .rar/.r00/.rev bundle arrives from someone unexpected, do not run "Repair archive" or a recovery test on it until you can verify the sender.
  • Use a browser tool for plain ZIP. Extracting or creating an archive - not repairing a damaged RAR set - works in the online unzip tool and online ZIP creator, no desktop install needed.
  • Still need RAR or 7z? The extract-a-file routing guide covers the safest option per format; the archive format comparison explains why RAR needs a dedicated app and ZIP does not.
Update WinRAR, skip unknown repair, use online ZIP, or check the routing guide.
Four actions to take right now for your archived files.

Sources

← Back to News

Loading reviews...