- The latest WinRAR update fixes a vulnerability that bad actors could use to make the app crash or even take control of your system.
- It also patches a vulnerability related to symbolic links that allow for path traversal attacks when users extract files from archives.
- WinRAR’s bundled 7-Zip library also got a fresh security overhaul. Users who handle files from email, online, or anyone who runs automated server workflows should update to 7.23 or any newer version.

RARLAB has released WinRAR 7.23. This security update fixes a newly disclosed heap overflow vulnerability. It also addresses another archive extraction weakness. That weakness could expose users to path traversal attacks.
The reason for the update? To lock things down tighter security-wise. And the applications of focus include WinRAR, the RAR command-line tool, and UnRAR.
Also, it improves the integrated 7-Zip unpacking engine. The patch consists of all the latest updates regarding bugs and security.It includes the latest upstream bug and security fixes.
Critical Heap Overflow in RAR5 Recovery Volumes
The most severe problem is identified as CVE-2026-14191. The vulnerability concerns the process of handling RAR5 recovery volume files in WinRAR. Such files fix corrupted or fragmented archive files.
The National Vulnerability Database flagged this vulnerability as an “out-of-bounds heap write.” It lives in the RAR5 recovery volume parser. A specially crafted set of recovery volume (.rev) files can write data outside the allocated memory area. This corrupts nearby memory structures.
The problem is that the software only sizes the RecItems vector when processing the first .rev file. Subsequent .rev files supply an independent RecNum value. The system never checks this value against the actual size of RecItems. An attacker can write data up to 65534 * sizeof(RecVolItem) bytes past the allocation.
Recovery volumes are optional files. People create them alongside multi-part RAR archives. They allow the rebuilding of damaged or missing archive parts. The vulnerability appears during recovery operations. It does not affect normal archive extraction.
RARLAB confirmed the bug affects WinRAR, RAR, and UnRAR. However, the standalone UnRAR.dll library is not affected. It does not process recovery volumes.
Arjun Basnet of Securin Labs reported the vulnerability. He received credit for the discovery.
Exploitation Requires User Interaction
Unlike some software flaws, this one cannot be exploited remotely without user action. CVE-2026-14191 requires someone to process a malicious recovery volume.
According to the NVD, attackers could trick victims into testing or repairing a crafted recovery volume set. This could happen through WinRAR’s “Repair archive” feature. It could also occur through the UnRAR command-line testing function. Automatic recovery can also trigger it when a volume in a multi-part archive is missing.
Successful exploitation can cause an application crash because of memory corruption. Security experts note that the memory corruption vulnerabilities can act as a springboard for further attacks. These could include remote code execution. For now, no public evidence exists that attackers have exploited before.
NVD assigned it a CVSS v3.1 score. That means this flaw can cause serious damage to confidentiality, integrity, and availability. The score also notes that exploitation still requires user interaction.
Update Blocks Symbolic Link Attacks
WinRAR 7.23 fixes a second security issue. This one involves symbolic links. Before this update, a specially crafted RAR archive could create a symbolic link. That link could point outside the chosen extraction folder. This happened even when users had not enabled the -ola option.
RARLAB says the new release adds extra validation during extraction. These checks stop extracted files from entering outside the intended folder. The protection works even across multiple extraction operations. This reduces the risk of path traversal attacks. It helps WinRAR, RAR, UnRAR, and applications built around those tools.
The company credited researcher scofaild23-bnomran for reporting this issue.
7-Zip Library Also Receives Security Update
Beyond fixing its own vulnerabilities, WinRAR 7.23 updates the bundled 7zxa.dll extraction library. It moved to version 26.02.
The newer library includes bug fixes and security updates from the 7-Zip project. This improves protection when handling 7z archives alongside RAR files.
Why Organizations Should Pay Attention
Archive utilities remain attractive targets. These tools are very popular. People use them to send files over email, and also often connect them to cloud drives, backups, etc. And even for enterprises, half their workflow probably runs through these.
Also, a lot of security products use components of UnRAR/RAR behind the scenes. The popularity of software tools makes them prime targets for malicious actors. Microsoft recently removed 119 malicious extensions from its Edge Add-ons Store.
Document gateways and automated file-processing systems do too. In these environments, archive processing may happen automatically. This increases the importance of keeping embedded tools fully patched.
The newly fixed recovery volume flaw is particularly relevant for organizations. They might automatically test, repair, or validate uploaded archives. This matters even if end users never open them manually.
Update is Not Automatic
Users should note that WinRAR does not automatically install updates. They must manually download and install version 7.23. Get it from RARLAB or the official WinRAR distribution site.
Security experts recommend upgrading immediately. This is critical if systems handle archives received through email, downloads, or shared storage. Organizations should also update bundled versions of RAR and UnRAR. For server-side applications? Upgrading to 7.23 or later versions is advised.
As of the time of writing, there’s no report of any attacker actively exploiting CVE-2026-14191. But reports show that hackers love exploiting archive software flaws. This happens once technical details become public. Installing the latest version remains the simplest way to reduce that risk.