How is CVE-2026-26422 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network access is required to reach the vulnerable IPC endpoint. Authentication (not-required): No credentials or privilege level are required; the IPC endpoint is world-reachable by any local process. Victim interaction (not-required): No user interaction is needed; the attacker can exploit the endpoint directly without any social engineering. Attack complexity (info): The exploit is reliable and condition-free; no race conditions or specific memory layout requirements apply.

What is the impact of CVE-2026-26422?

A successful attacker reads sensitive data from the host system, including files and secrets accessible at elevated privilege levels. The attacker modifies system state or configuration by issuing privileged IPC commands through the exposed endpoint. The attacker executes code with the privilege level of the clash-verge-service-ipc process, achieving local privilege escalation from an unprivileged foothold. All three impact dimensions (confidentiality, integrity, availability) are rated High, meaning the attacker has full control over the affected service and its reachable resources.

Back to search

HIGHCVE-2026-26422Published 2026-06-06Modified 2026-06-06CNA mitre

CVE-2026-26422: clash-verge-service-ipc before 2

clash-verge-service-ipc before 2.3.0 has a world-reachable IPC endpoint, leading to local privilege escalation.

CVSS v3.1: 8.4
Severity: HIGH
Fixed in: 2.3.0
Affected Products: 1

HarborGuard Analysis

Synopsis

A local privilege escalation vulnerability exists in the clash-verge-service-ipc component of Clash Verge Rev before version 2.3.0. The service exposes an IPC (inter-process communication) endpoint that any local process can reach without authentication, meaning no network access or login credentials are required to interact with it. A successful attacker who already has any foothold on the host can abuse this endpoint to read sensitive data, tamper with the system, or execute code at an elevated privilege level. A patched-image rebuild at version 2.3.0 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-26422 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle clash-verge-service-ipc. Any image carrying a version of the component below 2.3.0 is flagged automatically.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 8.4 (High) and weighting it against each environment's compliance policy to determine urgency. Triage routing is available to direct the finding to the appropriate team inbox within each customer organization.

Available

Patch

A patched-image rebuild at clash-verge-service-ipc 2.3.0 is available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run a regression test suite, and open a PR against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access is required to reach the vulnerable IPC endpoint.
AuthenticationNot required
No credentials or privilege level are required; the IPC endpoint is world-reachable by any local process.
Victim interactionNot required
No user interaction is needed; the attacker can exploit the endpoint directly without any social engineering.
Attack complexityDetail
The exploit is reliable and condition-free; no race conditions or specific memory layout requirements apply.

Blast Radius

A successful attacker reads sensitive data from the host system, including files and secrets accessible at elevated privilege levels.
The attacker modifies system state or configuration by issuing privileged IPC commands through the exposed endpoint.
The attacker executes code with the privilege level of the clash-verge-service-ipc process, achieving local privilege escalation from an unprivileged foothold.
All three impact dimensions (confidentiality, integrity, availability) are rated High, meaning the attacker has full control over the affected service and its reachable resources.

How HarborGuard Handles This

Available on HarborGuard: detection of this vulnerability is matched against all scanned images within minutes of ingestion, and a rebuild targeting clash-verge-service-ipc 2.3.0 is available for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard can trigger the rebuild, execute regression tests, and open a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy requires manual approval, the finding is routed to the designated team inbox with CVSS 8.4 scoring context attached. Because this is a local privilege escalation requiring only a process-level foothold, compensating controls worth considering include restricting IPC socket permissions via host security policies, applying least-privilege container security contexts, and ensuring container images do not bundle the clash-verge-service-ipc binary unless it is explicitly required.

See how HarborGuard automates this

Fix available

2.3.0

Affected packages

Clash Verge Rev / clash-verge-service-ipc
< 2.3.0 (from 0)

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available