Link following in WinRAR - #VU136809

 

Link following in WinRAR - #VU136809

Published: July 2, 2026


Vulnerability identifier: #VU136809
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-59
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: RARLAB
Affected software:
WinRAR

Detailed vulnerability description

The vulnerability allows a remote attacker to place a symbolic link outside the destination folder.

The vulnerability exists due to improper link resolution in the extraction code when extracting a specially crafted RAR archive. A remote attacker can supply a specially crafted archive to place a symbolic link outside the destination folder.

The potential threat is limited to cases where another tool uses the created symbolic link to store files.


Remediation

Install security update from vendor's website.

Sources