The flaw is tracked as CVE-2023-40477 and could give remote attackers arbitrary code execution on the target system after a specially crafted RAR file is opened.

And from the linked advisory:

The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process.

What’s going on is the specially crafted RAR, when opened, creates an unchecked buffer overflow. This dumps a shell to the process, and a payload can be executed in that shell, hiding from the user behind that process. This is different than the normal behavior you describe, where extracting a RAR can autolaunch executable code contained in the RAR in its own separate process, visible to the user (in task manager, for example), and running in the user context.

In Windows, if you have run WinRAR with admin rights, and confirmed with the User Access Control (UAC) dialog, the attacker code would also run with admin rights, without any additional UAC warning. In the “normal” behavior, you would get a second UAC warning when the autorun executable tried to run.

Pretty much whenever you see the phrase “arbitrary code execution,” this is the kind of thing that’s happening. Some of those are more serious than others, depending on the flaw. Certain kinds of flaws can return a shell in the SYSTEM context, which has even more permissions than admin.