Maker of the popular WinRAR file archiver and compression utility, RARLAB, has patched a critical vulnerability in the utility that could let attackers run malicious code on a victim’s computer. It released version 7.23 on July 2 that mitigates the vulnerability.
The flaw, tracked as CVE-2026-14191, lives in how WinRAR handles .rev files. Those .rev files are extra backup file pieces it can create so a damaged archive can still be rebuilt. A specially crafted set of these files can force the software to write data past the end of its allocated memory, corrupting internal data in a way attackers could exploit for code execution.
The flaw is a memory-corruption bug, also known as an out-of-bounds write, that an attacker could exploit to run code on the target system.
Security firm Malwarebytes was first to flag the patch, publishing an alert the same day RARLAB shipped the fix. Malwarebytes didn’t discover the flaw — it was already public by the time they wrote about it — but researcher Pieter Arntz warned that WinRAR “still does not offer automatic updates.”
That means users must manually download version 7.23 from win-rar.com, selecting the correct build for Windows, macOS, Android, Linux or FreeBSD. That’s significant, considering RARLAB estimates there are 500 million users of its WinRAR software that will need to manually update their software to mitigate risk.
RARLAB’s notes that the bug impacts “WinRAR, RAR and UnRAR” — with no “Windows only” caveat. This suggests Linux, Unix and macOS versions could be exposed too.
The European Vulnerability Database, in an entry filed as EUVD-2026-40869, classifies the bug as a variant of CVE-2023-40477, an earlier flaw.
Security teams are advised to treat WinRAR as optional software — removing it where it isn’t required, or deploying third-party update monitoring given the lack of native auto-patching.
This marks the second time in three years WinRAR’s recovery-volume code has produced an exploitable bug, following CVE-2023-40477 — which went on to see real-world exploitation by Russia-aligned actors months after a patch existed. This keeps happening in the same obscure corner of the code, and because WinRAR won’t auto-update, the risk lingers inside company networks long after a fix is out.
Unlike the 2025 path-traversal flaws, RARLAB hasn’t ruled out non-Windows builds this time, which changes the patch-priority calculus for shops running RAR or UnRAR on Linux servers or macOS fleets.