In short: In July 2026, the makers of WinRAR patched a dangerous vulnerability, CVE-2026-14191, in how the RAR5 format handles recovery volumes (.rev files). A crafted set of .rev files can make WinRAR write data past the end of its allocated memory (a heap overflow), which in theory lets an attacker run their own code on the victim's computer. The fix ships in WinRAR 7.23 — install it manually, because WinRAR has no auto-update.
What happened
On 2 July 2026, a vulnerability tracked as CVE-2026-14191 came to light in the popular WinRAR archiver, as well as in the RAR and UnRAR tools that share the same engine. The flaw lives in the code that parses RAR5 recovery volumes — the optional .rev files used to repair a damaged or incomplete multi-volume archive. Developer RARLAB closed the hole in WinRAR 7.23.
At its core this is a repeat of an earlier 2023 bug (CVE-2023-40477), also found in recovery-volume handling. People are used to downloading and unpacking archives without a second thought — and that habit is exactly what the risk relies on. We covered how to do it safely in our guide on how to download software (and a VPN) safely.
How the vulnerability works
Recovery volumes (.rev) are helper files stored next to a multi-volume archive that let WinRAR rebuild missing parts. An attacker crafts a set of two or more malicious .rev files so that, when they are processed, WinRAR writes data just past the end of an allocated buffer on the heap. That corrupts the program's own memory.
A heap overflow is dangerous because carefully chosen data can overwrite internal structures and ultimately lead to arbitrary code execution — running whatever the attacker planted, with the current user's privileges. To be attacked, the victim only has to open or try to repair the booby-trapped archive. It is a close cousin of the file-borne infection we described in our report on fake software sites that spread trojans.
What it means for your data
Running someone else's code on your PC effectively means losing control of the device. Through a hole like this an attacker can install an info-stealer that lifts the passwords, cookies and sessions saved in your browser, reach your documents and messages, or gain a foothold for follow-on attacks. Archives arrive by email, in messengers and from random sites, so the delivery channel is utterly ordinary.
WinRAR has a specific weakness: no auto-update. The program does not update itself, and millions of users sit on old versions for years. That is exactly why past archiver flaws stayed a working tool for attackers so long. Until you manually install 7.23, the vulnerable version stays on your disk.
How to protect yourself
Update WinRAR to 7.23 or later. Download the current version only from the official rarlab.com site and reinstall — there is no auto-update, so the old build will not replace itself.
Do not open archives from untrusted sources. Be wary of an unfamiliar archive arriving by email or messenger, especially a multi-volume one with .rev files. Keep your antivirus enabled and updated — how the layers fit together is covered in our overview of how a VPN, antivirus and firewall work together.
Encrypt your connection on untrusted networks. A VPN will not close an archiver flaw — only the update does that — but on public or shared Wi-Fi it stops attackers on the same network from intercepting your traffic or swapping in a tampered file during download. LiMP VPN is a no-logs service for iOS and Android — see the features and plans, and more privacy news on our blog.
Sources
This report is based on developer RARLAB's release (WinRAR 7.23) and analysis of CVE-2026-14191 reported by Malwarebytes and Cybersecurity News, and covered in Russian by Anti-Malware.ru (2 July 2026).
