CVE-2026-26422
Description
CVE-2026-26422: Clash Verge Service IPC allows local privilege escalation via an exposed IPC endpoint before version 2.3.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2026-26422: Clash Verge Service IPC allows local privilege escalation via an exposed IPC endpoint before version 2.3.0.
Vulnerability
Clash Verge Service IPC versions prior to 2.3.0 contain a vulnerability where a world-reachable IPC endpoint can be accessed, leading to local privilege escalation. This issue stems from improper permission granting on the IPC component, specifically insecure file permissions (CWE-732) and potentially hardcoded authentication credentials (CWE-798) [1]. Affected versions include clash-verge-service-ipc < 2.0.26 and clash-verge-rev < v2.4.5 [2].
Exploitation
A local, unprivileged attacker can exploit this vulnerability by interacting with the exposed IPC endpoint. The attacker needs to be able to execute code on the target system to reach the vulnerable code path. By leveraging the insecure file permissions and potentially hardcoded credentials, the attacker can hijack the service's execution flow to gain elevated privileges [1].
Impact
Successful exploitation of this vulnerability allows a local attacker to achieve local privilege escalation (LPE). This means an attacker can gain root access to the system, compromising the confidentiality, integrity, and availability of the system [1].
Mitigation
The vulnerability is fixed in clash-verge-service-ipc version 2.0.26 and clash-verge-rev version v2.4.5. The fix involves restricting IPC permissions to 750 for directories and 660 for sockets on Unix-like systems [3]. The patched versions were released prior to the public disclosure of this CVE [1, 2, 3].
AI Insight generated on Jun 6, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <2.3.0
Patches
13bbcdbe5caacfix(service): update update clash_verge_service_ipc to 2.0.27
4 files changed · +21 −78
Cargo.lock+15 −15 modified@@ -156,7 +156,7 @@ dependencies = [ "objc2-foundation 0.3.2", "parking_lot", "percent-encoding", - "windows-sys 0.60.2", + "windows-sys 0.59.0", "wl-clipboard-rs", "x11rb", ] @@ -1332,8 +1332,8 @@ dependencies = [ [[package]] name = "clash_verge_service_ipc" -version = "2.0.26" -source = "git+https://github.com/clash-verge-rev/clash-verge-service-ipc#37b9964a9bce767b5b95ea2be75613b23400c9f0" +version = "2.0.27" +source = "git+https://github.com/clash-verge-rev/clash-verge-service-ipc#43274f2db38959090797b35416c404ee482e8744" dependencies = [ "anyhow", "compact_str", @@ -2120,7 +2120,7 @@ dependencies = [ "libc", "option-ext", "redox_users 0.5.2", - "windows-sys 0.61.2", + "windows-sys 0.59.0", ] [[package]] @@ -2393,7 +2393,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "39cab71617ae0d63f51a36d69f866391735b51691dbda63cf6f96d042b63efeb" dependencies = [ "libc", - "windows-sys 0.61.2", + "windows-sys 0.59.0", ] [[package]] @@ -3616,7 +3616,7 @@ dependencies = [ "libc", "percent-encoding", "pin-project-lite", - "socket2 0.6.1", + "socket2 0.5.10", "system-configuration", "tokio", "tower-service", @@ -3949,7 +3949,7 @@ checksum = "3640c1c38b8e4e43584d8df18be5fc6b0aa314ce6ebf51b53313d4306cca8e46" dependencies = [ "hermit-abi 0.5.2", "libc", - "windows-sys 0.61.2", + "windows-sys 0.59.0", ] [[package]] @@ -4755,7 +4755,7 @@ version = "0.50.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7957b9740744892f114936ab4a57b3f487491bbeafaf8083688b16841a4240e5" dependencies = [ - "windows-sys 0.61.2", + "windows-sys 0.59.0", ] [[package]] @@ -5225,7 +5225,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7d8fae84b431384b68627d0f9b3b1245fcf9f46f6c0e3dc902e9dce64edd1967" dependencies = [ "libc", - "windows-sys 0.61.2", + "windows-sys 0.45.0", ] [[package]] @@ -6034,7 +6034,7 @@ dependencies = [ "quinn-udp", "rustc-hash", "rustls", - "socket2 0.6.1", + "socket2 0.5.10", "thiserror 2.0.17", "tokio", "tracing", @@ -6071,9 +6071,9 @@ dependencies = [ "cfg_aliases", "libc", "once_cell", - "socket2 0.6.1", + "socket2 0.5.10", "tracing", - "windows-sys 0.60.2", + "windows-sys 0.59.0", ] [[package]] @@ -6645,7 +6645,7 @@ dependencies = [ "errno", "libc", "linux-raw-sys 0.11.0", - "windows-sys 0.61.2", + "windows-sys 0.59.0", ] [[package]] @@ -8182,7 +8182,7 @@ dependencies = [ "getrandom 0.3.4", "once_cell", "rustix 1.1.2", - "windows-sys 0.61.2", + "windows-sys 0.59.0", ] [[package]] @@ -9580,7 +9580,7 @@ version = "0.1.11" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c2a7b1c03c876122aa43f3020e6c3c3ee5c05081c9a00739faf7503aeba10d22" dependencies = [ - "windows-sys 0.61.2", + "windows-sys 0.48.0", ] [[package]]
Changelog.md+1 −0 modified@@ -33,5 +33,6 @@ - 使用「编辑节点」添加节点时,自动将节点添加到第一个 `select` 类型的代理组的第一位 - 隐藏侧边导航栏和悬浮跳转导航的滚动条 - 完善对 AnyTLS / Mieru / Sudoku 的 GUI 支持 +- macOS 和 Linux 对服务 IPC 权限进一步限制 </details>
src-tauri/Cargo.toml+1 −1 modified@@ -94,7 +94,7 @@ tauri-plugin-devtools = { version = "2.0.1" } tauri-plugin-mihomo = { git = "https://github.com/clash-verge-rev/tauri-plugin-mihomo" } clash_verge_logger = { git = "https://github.com/clash-verge-rev/clash-verge-logger" } async-trait = "0.1.89" -clash_verge_service_ipc = { version = "2.0.26", features = [ +clash_verge_service_ipc = { version = "2.0.27", features = [ "client", ], git = "https://github.com/clash-verge-rev/clash-verge-service-ipc" } arc-swap = "1.8.0"
src-tauri/src/core/service.rs+4 −62 modified@@ -295,54 +295,6 @@ fn force_reinstall_service() -> Result<()> { }) } -/// 检查服务版本 - 使用IPC通信 -async fn check_service_version() -> Result<String> { - let version_arc: Result<String> = { - logging!(info, Type::Service, "开始检查服务版本 (IPC)"); - let result = clash_verge_service_ipc::get_version().await; - logging!(debug, Type::Service, "检查服务版本 (IPC) 结果: {:?}", result); - - // 检查错误信息是否是JSON序列化错误或预期值错误,以适配老版本服务 - // 这可能是因为老版本服务的API不兼容,导致无法正确解析响应 - // 如果是这种情况,直接返回空字符串,表示无法获取版本 - if let Err(e) = result.as_ref() - && (e.to_string().contains("JSON serialization error") || e.to_string().contains("expected value")) - { - logging!( - warn, - Type::Service, - "服务版本检查失败,可能是老版本服务 API 不兼容: {}", - e - ); - return Ok("".to_string()); - } - - // 因为上面的错误处理 Error 可能会被忽略,所以这里需要再次检查 - let response = result.context("无法连接到Clash Verge Service")?; - if response.code > 0 { - let err_msg = response.message; - logging!(error, Type::Service, "获取服务版本失败: {}", err_msg); - return Err(anyhow::anyhow!(err_msg)); - } - - let version = response.data.unwrap_or_else(|| "unknown".into()); - Ok(version) - }; - - match version_arc.as_ref() { - Ok(v) => Ok(v.clone()), - Err(e) => Err(anyhow::Error::msg(e.to_string())), - } -} - -/// 检查服务是否需要重装 -pub async fn check_service_needs_reinstall() -> Result<bool> { - match check_service_version().await { - Ok(version) => Ok(version != clash_verge_service_ipc::VERSION), - Err(e) => Err(e), - } -} - /// 尝试使用服务启动core pub(super) async fn start_with_existing_service(config_file: &PathBuf) -> Result<()> { logging!(info, Type::Service, "尝试使用现有服务启动核心"); @@ -483,20 +435,10 @@ impl ServiceManager { /// 综合服务状态检查(一次性完成所有检查) pub async fn check_service_comprehensive(&self) -> ServiceStatus { - match check_service_needs_reinstall().await { - Ok(need) => { - logging!(debug, Type::Service, "服务当前可用,检查是否需要重装"); - if need { - logging!(debug, Type::Service, "服务需要重装且需要重装"); - ServiceStatus::NeedsReinstall - } else { - ServiceStatus::Ready - } - } - Err(err) => { - logging!(warn, Type::Service, "服务不可用,检查安装状态"); - ServiceStatus::Unavailable(err.to_string()) - } + if clash_verge_service_ipc::is_reinstall_service_needed().await { + ServiceStatus::NeedsReinstall + } else { + ServiceStatus::Ready } }
Vulnerability mechanics
Root cause
"The service exposes a world-reachable IPC endpoint that can be accessed by unprivileged local users."
Attack vector
An unprivileged local attacker can interact with the Inter-Process Communication (IPC) endpoint exposed by the clash-verge-service. This endpoint allows the attacker to trigger actions that would normally require elevated privileges, leading to local privilege escalation. The vulnerability is present because the IPC endpoint is accessible to all users on the system.
Affected code
The vulnerability lies within the IPC communication mechanism used by clash-verge-service. Specifically, functions like `check_service_version` and `start_with_existing_service` interact with `clash_verge_service_ipc` to manage and check the service's status. The commit `3bbcdbe5caacc2ffb713af69f2c93e202573f918` in the clash-verge-rev repository contains the relevant code changes.
What the fix does
The patch modifies the `check_service_version` function and introduces `is_reinstall_service_needed` to handle service version checks more robustly. It addresses potential errors during IPC communication, such as JSON serialization issues or API incompatibilities with older service versions. By ensuring proper error handling and version comparison, the fix aims to prevent unexpected behavior or security bypasses that could arise from faulty IPC interactions, thereby mitigating the privilege escalation risk.
Preconditions
- inputThe target system must have clash-verge-service installed and running.
- authThe attacker must have local access to the target system with unprivileged user credentials.
Generated on Jun 6, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.