SecurinZero Days
    Email Us
    Zero-Day Research/CVE-2026-14191
    ▲ HighCVSS 7.8

    WinRAR/UnRAR RAR5 Recovery Volume (.rev) Out-of-Bounds Write via Unvalidated RecNum (RecVolumes5::ReadHeader)

    Live verified: installed UnRAR 7.22 x64 crashes (SIGSEGV, exit 139) on a crafted 2-file REV5 set; ASAN root-cause = WRITE access-violation at RecVolumes5::ReadHeader (recvol5.cpp:486). RecNum from the .rev header is validated only against the current file's TotalCount (recvol5.cpp:467), not against RecItems.size() (sized from the first .rev only), giving a controlled OOB heap write (value=RevCRC, offset=RecNum*sizeof(RecVolItem)). PoC = crash/DoS, NOT weaponized to code execution. Unpatched RAR5 variant of CVE-2023-40477 / ZDI-23-1152 (fixed RAR3-only in WinRAR 6.23 - confirmed via official 6.22->6.23 source diff). Suggested fix: add 'RecNum >= RecItems.size()' to the check at recvol5.cpp:467. Evidence + PoC held in secure disclosure package (not in this sheet).

    CVE IDCVE-2026-14191
    CVSS v3.17.8 High
    VendorRARLAB (Alexander Roshal)
    CWECWE-787: Out-of-bounds Write; CWE-129: Improper Validation of Array Index
    DisclosedJun 3, 2026
    All advisories
    • 01Description
    • 02References
    01/Description

    What this actually is.

    Technical background, root cause, and affected surface.

    Live verified: installed UnRAR 7.22 x64 crashes (SIGSEGV, exit 139) on a crafted 2-file REV5 set; ASAN root-cause = WRITE access-violation at RecVolumes5::ReadHeader (recvol5.cpp:486). RecNum from the .rev header is validated only against the current file's TotalCount (recvol5.cpp:467), not against RecItems.size() (sized from the first .rev only), giving a controlled OOB heap write (value=RevCRC, offset=RecNum*sizeof(RecVolItem)). PoC = crash/DoS, NOT weaponized to code execution. Unpatched RAR5 variant of CVE-2023-40477 / ZDI-23-1152 (fixed RAR3-only in WinRAR 6.23 - confirmed via official 6.22->6.23 source diff). Suggested fix: add 'RecNum >= RecItems.size()' to the check at recvol5.cpp:467. Evidence + PoC held in secure disclosure package (not in this sheet).

    Vendor
    RARLAB (Alexander Roshal)
    Product
    WinRAR / UnRAR / UnRAR.dll
    Severity
    High
    CVSS Score
    7.8
    CWE
    CWE-787: Out-of-bounds Write; CWE-129: Improper Validation of Array Index
    02/References

    Cite, verify, go deeper.

    Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

    NVD

    NVD — CVE-2026-14191

    nvd.nist.gov/vuln/detail/CVE-2026-14191 →
    SEC

    Securin VI — Full Technical Analysis

    vi.securin.io →

    Let Securin level up your security posture.

    Get a live exposure assessment, threat-actor briefing tailored to your sector, and IoC mapping for your SIEM.

    Browse all advisories
    SecurinSecurinZero Days

    Securin's zero-day research operation combines frontier AI models with a decade of offensive expertise — discovering, validating, and coordinating the disclosure of high-impact vulnerabilities at a scale and speed no human team achieves alone.

    Glossary
    © 2026 Securin Inc · CVE Numbering Authority
    Privacy Policy·Data Processing Addendum