What this actually is.
Technical background, root cause, and affected surface.
Live verified: installed UnRAR 7.22 x64 crashes (SIGSEGV, exit 139) on a crafted 2-file REV5 set; ASAN root-cause = WRITE access-violation at RecVolumes5::ReadHeader (recvol5.cpp:486). RecNum from the .rev header is validated only against the current file's TotalCount (recvol5.cpp:467), not against RecItems.size() (sized from the first .rev only), giving a controlled OOB heap write (value=RevCRC, offset=RecNum*sizeof(RecVolItem)). PoC = crash/DoS, NOT weaponized to code execution. Unpatched RAR5 variant of CVE-2023-40477 / ZDI-23-1152 (fixed RAR3-only in WinRAR 6.23 - confirmed via official 6.22->6.23 source diff). Suggested fix: add 'RecNum >= RecItems.size()' to the check at recvol5.cpp:467. Evidence + PoC held in secure disclosure package (not in this sheet).
- Vendor
- RARLAB (Alexander Roshal)
- Product
- WinRAR / UnRAR / UnRAR.dll
- Severity
- High
- CVSS Score
- 7.8
- CWE
- CWE-787: Out-of-bounds Write; CWE-129: Improper Validation of Array Index
Cite, verify, go deeper.
Primary sources — NVD, CISA KEV, and machine-readable IoC feed.