Critical RCE Vulnerability in WinRAR (CVE‑2026‑14191) Allows Remote Code Execution via Crafted .rev Files
What Happened — WinRAR 7.22 and earlier mishandle RAR5 recovery‑volume (.rev) files, letting an attacker write past a memory buffer and execute arbitrary code. The flaw (CVE‑2026‑14191) was patched in WinRAR 7.23, but WinRAR does not provide automatic updates, so remediation depends on manual installation.
Why It Matters for Compliance & Audit Readiness —
- Unpatched software is a direct violation of SOC 2 Change Management (CC6.1) and Vulnerability Management (CC7.1) controls.
- Continuous evidence of patch deployment is required for a defensible audit trail; a control‑mapping solution can automatically collect that evidence.
- Leaving the flaw unaddressed can invalidate the “System Operations” trust principle during a SOC 2 audit.
Who Is Affected — Any organization that permits WinRAR or UnRAR on employee workstations—technology, finance, healthcare, government, and education sectors alike.
Recommended Actions —
- Deploy WinRAR 7.23 (or later) to all endpoints and verify versions via your software‑inventory tool.
- Treat WinRAR as optional; remove it where not needed and document the decision in your asset‑management process.
- Implement automated patch‑monitoring or a third‑party notification service to generate audit‑ready logs of remediation.
Source: Malwarebytes Labs
Technical Notes — The vulnerability is a heap‑out‑of‑bounds write triggered by crafted .rev files (CVE‑2026‑14191, CVSS ≈ 9.8). It is a variant of the 2023 flaw CVE‑2023‑40477. No automatic update mechanism; exploitation by threat actors was reported in 2025.