CVE-2026-26422 - clash-verge-service-ipc world-reachable IPC LPE

clash-verge-service-ipc before 2.3.0 exposed a world-reachable local IPC endpoint. The GitHub advisory says local users could reach privileged service operations through that socket and escalate privileges. The upstream v2.3.0 release notes call out the fix directly: on Unix, IPC permissions were restricted to 750 on the directory and 660 on the socket.

This is a boundary-hardening bug, not only a versioning bug. The correct fix upgrades the IPC component, ensures the service creates sockets with least-privilege ownership from the start, and verifies no repository-owned wrapper, installer, or service unit reintroduces world-readable or world-writable IPC paths.

When to use it

  • A Rust, desktop, packaging, or deployment repository builds, vendors, forks, or configures clash-verge-service-ipc <2.3.0.
  • A privileged local helper exposes IPC for network, TUN, kernel, or administrator-only operations.
  • Installers, service units, launch scripts, or wrappers create IPC paths under shared directories or alter permissions after startup.
  • You need a bounded PR or triage note that upgrades the package and proves the local privilege boundary.

Inputs

  • Cargo.toml, Cargo.lock, packaging manifests, installers, service units, launchd/systemd files, Dockerfiles, SBOMs, and generated dependency reports.
  • IPC directory and socket creation code, ownership model, group membership, and local service account policy.
  • Privileged service request handlers reachable over the IPC path.
  • Available dependency resolution, unit, packaging, installer, service config, build, SBOM, and security scan commands.

Affected versions

  • Vulnerable package: clash-verge-service-ipc <2.3.0
  • Fixed package: clash-verge-service-ipc 2.3.0+
  • Affected condition: a privileged Clash service exposes its IPC directory or socket to unintended local users
  • Attack vector: local, no privileges required

Indicator-of-exposure

  • The repository builds, vendors, forks, packages, or deploys clash-verge-service-ipc <2.3.0.
  • Product code runs a local privileged service for network configuration, kernel control, TUN setup, or other administrator-only actions.
  • The runtime creates Unix sockets or their parent directories under shared paths such as /tmp, /var/run, or app-managed temp directories.
  • Service startup scripts, post-start hooks, or wrapper code call chmod 777, chmod 666, or similarly broad permission changes on IPC paths.
  • Desktop packaging, systemd units, launchd jobs, install scripts, or helper daemons let untrusted local users interact with a privileged service.

Quick checks:

rg -n "clash-verge-service-ipc|verge-mihomo.sock|chmod 777|chmod 666|0o777|0o666|umask|pre_exec|socket|IPC" .
cargo tree | rg "clash-verge-service-ipc"
rg -n "tmp/.*sock|/tmp/|/var/run/|RuntimeDirectory|launchd|systemd|socket" src packages scripts deploy .github . 2>/dev/null

Windows:

rg -n "clash-verge-service-ipc|verge-mihomo.sock|chmod 777|chmod 666|0o777|0o666|umask|pre_exec|socket|IPC" .
cargo tree | rg "clash-verge-service-ipc"
rg -n "tmp/.*sock|/tmp/|/var/run/|RuntimeDirectory|launchd|systemd|socket" src packages scripts deploy .github .

Do not attempt local privilege-escalation proofs, create permissive sockets on shared systems, or inspect other users’ local data during validation.

Remediation strategy

  • Upgrade every controlled clash-verge-service-ipc dependency, lockfile, package manifest, desktop bundle, and SBOM to 2.3.0+.
  • If the repository owns a downstream desktop client or service wrapper, ensure it consumes the fixed IPC package or a downstream build that includes the permission hardening.
  • Remove any startup or post-start logic that broadens IPC permissions after socket creation.
  • Ensure the parent IPC directory and socket are created with least privilege: only the service account and intended admin-capable group should have access.
  • Prefer fail-closed ownership and permission setup at process creation time rather than delayed repair logic after the service starts.
  • Review whether local helper binaries, service APIs, or request handlers reachable through the socket can trigger privileged actions that should be further gated by caller identity or group membership.

The prompt

You are remediating CVE-2026-26422 / GHSA-5m7x-g9jc-x5g7, a high-severity local
privilege-escalation issue caused by world-reachable IPC permissions in
`clash-verge-service-ipc`. Produce exactly one output:

- A reviewer-ready PR/change request that upgrades the vulnerable IPC
  dependency, hardens socket and directory creation, removes unsafe permission
  broadening, refreshes generated artifacts, and documents operator cleanup, or
- TRIAGE.md if this repository does not control an affected IPC package,
  desktop build, privileged service wrapper, or deployment artifact.

## Rules

- Scope only CVE-2026-26422 / GHSA-5m7x-g9jc-x5g7 and directly related IPC
  permission hardening.
- Treat local user boundaries, admin-group membership, service accounts, IPC
  paths, logs, packaged helpers, and any privileged service actions as
  sensitive.
- Do not run privilege-escalation proofs, create unsafe socket permissions, or
  inspect another user's data while validating.
- Do not "fix" the finding by disabling logging, hiding the socket path, or
  moving the vulnerability into undocumented installer behavior.
- Do not auto-merge.

## Steps

1. Inventory every repository-controlled reference to
   `clash-verge-service-ipc`, downstream Clash desktop/service packages,
   `Cargo.toml`, `Cargo.lock`, installers, service definitions, systemd or
   launchd units, packaging manifests, docs, and SBOMs.
2. Determine every resolved version. A target is vulnerable if it resolves
   below `2.3.0`.
3. Search for IPC path creation and permission logic: socket creation, parent
   directory creation, `chmod`, `PermissionsExt`, `umask`, `pre_exec`,
   post-start hooks, installer scripts, and service wrappers.
4. Determine which local identities can currently reach the privileged service:
   service account only, admin group, any logged-in user, or any local user.
5. If this repository does not control an affected package or privileged
   service wrapper, stop with `TRIAGE.md` listing checked files, resolved
   versions, and the owning team if another package or platform supplies it.
6. Upgrade all controlled `clash-verge-service-ipc` references to `2.3.0+`.
   Refresh `Cargo.lock`, package metadata, images, installers, SBOMs,
   dependency reports, and docs.
7. Remove or rewrite unsafe permission logic:
   - no world-readable or world-writable IPC directories or sockets;
   - no delayed `chmod 777` or similar repair step after startup;
   - create the socket with least privilege at process creation time;
   - restrict access to the service account and intended admin group only.
8. If the repository owns request-handling logic behind the socket, verify
   privileged operations cannot be invoked by callers outside the authorized
   local boundary even if they reach the socket.
9. Add safe regression coverage:
   - vulnerable versions are absent;
   - service-created IPC directories and sockets are not world-accessible;
   - authorized local admin paths still work;
   - unauthorized local identities are rejected or cannot connect;
   - logs do not disclose sensitive local paths or tokens unnecessarily.
10. Add a PR body section named `CVE-2026-26422 operator actions` that states:
    - versions before and after;
    - which packaged services or installers were reviewed;
    - the intended local trust boundary for the IPC path;
    - whether historical installs may have left unsafe permissions behind;
    - whether operators should restart the service or clean up stale socket
      files after rollout;
    - which validation commands passed.
11. Run available validation: dependency resolution, unit tests, packaging
    tests, service config lint, installer checks, build, SBOM refresh, and
    dependency/security scans.
12. Use PR title:
    `fix(sec): remediate CVE-2026-26422 in clash-verge-service-ipc`.

## Stop conditions

- No affected IPC package, wrapper, packaged service, or installer is
  controlled by this repository.
- The vulnerable service is supplied entirely by another team or upstream
  distributor; document owner and required version in `TRIAGE.md`.
- Verification would require live privilege escalation or unsafe multi-user
  testing on a shared host.
- Validation fails for unrelated pre-existing reasons; document those failures
  instead of broadening scope.

Verification - what the reviewer looks for

  • No controlled dependency, package, or SBOM resolves clash-verge-service-ipc <2.3.0.
  • IPC directories and sockets are not world-accessible.
  • Permission hardening happens at creation time, not via a delayed permissive repair step.
  • Repository-owned privileged service actions stay limited to authorized local identities.
  • Operator notes cover service restart or stale-socket cleanup where needed.

Output contract

  • Reviewer-ready PR upgrading all controlled clash-verge-service-ipc references to 2.3.0+ and refreshing lockfiles, packages, SBOMs, and generated artifacts.
  • Permission hardening for parent directories and sockets, including removal of delayed broad chmod repair logic.
  • Regression or policy checks proving IPC paths are not world-accessible and privileged actions remain limited to authorized local identities.
  • TRIAGE.md when the repository does not control the affected IPC package, privileged wrapper, packaged service, or safe validation path.

Watch for

  • Updating the Rust dependency while installer scripts or service units still widen permissions afterward.
  • Fixing only the socket mode while leaving the parent directory broadly accessible.
  • Assuming “local only” is safe when the service performs privileged network or kernel actions.
  • Shipping the patched source while packaged desktop builds still include an older bundled helper.

References