{"@context":"https://openvex.dev/ns/v0.2.0","@id":"https://database.harborguard.co/cve/CVE-2026-14191/vex.json","author":"HarborGuard Database","role":"Document Creator","timestamp":"2026-07-01T02:42:05.524Z","version":1,"tooling":"HarborGuard Database (https://database.harborguard.co)","statements":[{"vulnerability":{"name":"CVE-2026-14191","@id":"https://www.cve.org/CVERecord?id=CVE-2026-14191","description":"An out-of-bounds heap write exists in the RAR5 recovery-volume (.rev) parser in WinRAR and UnRAR (RecVolumes5::ReadHeader in recvol5.cpp). The RecItems vector is sized only when the first .rev file in a set is processed; subsequent .rev files supply an independent RecNum value that is validated against that file's own TotalCount field but never against the actual size of RecItems. A crafted set of two or more .rev files can therefore write an attacker-controlled 32-bit value (the header's RevCRC"},"products":[{"@id":"cpe:2.3:a:rarlab:winrar:*:*:*:*:*:*:*:*","identifiers":{"cpe23":"cpe:2.3:a:rarlab:winrar:*:*:*:*:*:*:*:*"}},{"@id":"cpe:2.3:a:rarlab:rar:*:*:*:*:*:*:*:*","identifiers":{"cpe23":"cpe:2.3:a:rarlab:rar:*:*:*:*:*:*:*:*"}},{"@id":"cpe:2.3:a:rarlab:unrar:*:*:*:*:*:*:*:*","identifiers":{"cpe23":"cpe:2.3:a:rarlab:unrar:*:*:*:*:*:*:*:*"}},{"@id":"cpe:2.3:a:rarlab:unrar.dll:*:*:*:*:*:*:*:*","identifiers":{"cpe23":"cpe:2.3:a:rarlab:unrar.dll:*:*:*:*:*:*:*:*"}}],"status":"affected","action_statement":"Update to a fixed version: 7.23.","timestamp":"2026-07-01T02:42:05.524Z"}]}