VYPR
patchPublished Jul 2, 2026· 1 source

WinRAR 7.23 Patches Heap Overflow and Path Traversal Vulnerabilities

WinRAR 7.23 addresses CVE-2026-14191, a critical heap overflow vulnerability in RAR5 recovery volume processing, alongside fixes for symbolic link handling and bundled libraries.

WinRAR 7.23 has been released to address a critical heap overflow vulnerability, identified as CVE-2026-14191, within its RAR5 recovery volume processing. This vulnerability could allow attackers to trigger application crashes or potentially execute arbitrary code by crafting malicious .rev files. The flaw resides in the code responsible for reconstructing data from RAR5 recovery volumes, which are used to repair damaged multi-volume archives. When processed, specially crafted recovery volume data could lead to out-of-bounds writes on the heap, corrupting memory structures and destabilizing WinRAR, the command-line RAR utility, and the UnRAR component. Notably, the UnRAR.dll library is not affected by this specific issue as it does not process recovery volumes.

The discovery of CVE-2026-14191 is credited to Arjun Basnet of Securin Labs, highlighting the ongoing security scrutiny of archive processing software due to its widespread integration into various applications and security gateways. Exploitation would typically require an attacker to trick a user or an automated system into processing a malicious RAR5 recovery volume, potentially bundled with legitimate-looking files. While the primary impact could be a denial-of-service through application crashes, sophisticated attackers might chain this with other vulnerabilities to achieve arbitrary code execution. This is particularly concerning for server-side applications that embed RAR or UnRAR, such as email servers or backup systems, where recovery operations might occur without direct user interaction.

Beyond the heap overflow, WinRAR 7.23 also enhances security by tightening the handling of symbolic links during archive extraction. Previously, crafted archives could create symbolic links that pointed outside the intended extraction directory, posing a path traversal risk. The updated logic now prevents the placement of files via such links across multiple extraction operations, mitigating these risks in WinRAR, RAR, and UnRAR workflows. This update also addresses potential path traversal scenarios that could arise even when specific options like '-ola' were not enabled.

In addition to these core fixes, the latest version of WinRAR incorporates security improvements by updating its bundled 7-Zip extraction library. The integrated 7zxa.dll has been updated to version 26.02, bringing with it upstream security patches and bug fixes from the 7-Zip project. This ensures that the handling of .7z archives also benefits from the latest security hardening.

RARLAB strongly advises all users and administrators to update WinRAR, RAR, and UnRAR to version 7.23 or later. This is especially crucial for systems that regularly process archives or recovery volumes from untrusted sources, such as those received via email, downloaded from the internet, or accessed from shared storage. Organizations that utilize these tools in server-side processing pipelines should verify that their embedded binaries are updated and consider implementing monitoring for suspicious recovery volume activity.

The release of WinRAR 7.23 underscores the importance of maintaining up-to-date archive utility software. Given the history of WinRAR vulnerabilities being exploited in real-world attacks, particularly those with financial motivations, keeping these tools patched is a fundamental security requirement for both individual users and enterprise environments. The combination of memory corruption, path traversal, and library updates in this release demonstrates a comprehensive approach to enhancing the security posture of the WinRAR application.

Synthesized by Vypr AI