New vulnerability in WinRAR could threaten millions of users

Blog  — Tue 22 Aug 2023

Recently, a serious vulnerability has come to light in the widely used WinRAR software. With a user base of up to 500 million worldwide, this discovery holds potentially far-reaching consequences. The vulnerability, known as CVE-2023-40477, has also been rated with a severity score of 7.8 out of 10, indicating the significant risk associated with it.

This vulnerability pertains to an 'out of bounds' security flaw, as described by the discoverer "goodbyeselene" of the Zero Day Initiative (ZDI) that discovered it on June 8, 2023. According to the discoverer, this can lead to unauthorized access to parts of the memory that should not normally be accessible, due to inadequate validation of user input. In practice, this means that malicious code can be executed on a vulnerable system.

After ZDI reported the vulnerability to Rarlab, the latter released version 6.23 of WinRAR on August 2, addressing this vulnerability. On August 17, 2023, ZDI publicly announced the discovery.

If you are using WinRAR, it is strongly recommended to download the latest version of the software from the official Rarlab website: https://www.rarlab.com/download.htm