Rarlab has released a new version of the popular WinRAR tool to patch a vulnerability that can be abused in remote code execution attacks.
The issue is fixed in WinRAR 7.23, but users must install the new version manually because WinRAR still does not offer automatic updates. They also need to make sure they download the version that matches their system and language preference.
There are five operating system to choose from (Windows, macOS, Android, Linux, and FreeBSD), which shouldn’t be too hard. More people will struggle with choosing 64 bits, 32 bits, or ARM, which requires checking their system specifications.
The vulnerability, tracked as CVE-2026-14191, affects the way WinRAR and UnRAR handle RAR5 recovery-volume (.rev) files, which are optional files used to help repair damaged or incomplete archives.
This means an attacker can craft a set of two or more .rev files that make WinRAR write data outside the memory it has allocated. In simple terms, the malicious recovery volumes can trick WinRAR into writing data just past the end of a memory buffer, corrupting its own data, which attackers may be able to exploit to run malicious code on the victim’s computer.











