CVE-2026-41651

HighPublic PoC

Published: 22 April 2026

Published

22 April 2026

Modified

05 May 2026

KEV Added

—

Patch

22 April 2026

CVSS Score 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0020 41.8th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

PackageKit is a a D-Bus abstraction layer that allows the user to manage packages in a secure way using a cross-distro, cross-architecture API. PackageKit between and including versions 1.0.2 and 1.3.4 is vulnerable to a time-of-check time-of-use (TOCTOU) race condition…

on transaction flags that allows unprivileged users to install packages as root and thus leads to a local privilege escalation. This is patched in version 1.3.5. A local unprivileged user can install arbitrary RPM packages as root, including executing RPM scriptlets, without authentication. The vulnerability is a TOCTOU race condition on `transaction->cached_transaction_flags` combined with a silent state-machine guard that discards illegal backward transitions while leaving corrupted flags in place. Three bugs exist in `src/pk-transaction.c`: 1. Unconditional flag overwrite (line 4036): `InstallFiles()` writes caller-supplied flags to `transaction->cached_transaction_flags` without checking whether the transaction has already been authorized/started. A second call blindly overwrites the flags even while the transaction is RUNNING. 2. Silent state-transition rejection (lines 873–882): `pk_transaction_set_state()` silently discards backward state transitions (e.g. `RUNNING` → `WAITING_FOR_AUTH`) but the flag overwrite at step 1 already happened. The transaction continues running with corrupted flags. 3. Late flag read at execution time (lines 2273–2277): The scheduler's idle callback reads cached_transaction_flags at dispatch time, not at authorization time. If flags were overwritten between authorization and execution, the backend sees the attacker's flags.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the TOCTOU race condition flaw in PackageKit by identifying, prioritizing, and patching the vulnerable versions 1.0.2 through 1.3.4.

CM-11 User-installed Software good match

prevent

Prohibits unprivileged users from installing software without authorization, blocking the local privilege escalation via arbitrary RPM package installation.

AC-6 Least Privilege partial match

prevent

Enforces least privilege on package management operations to limit unprivileged user access to root-level transaction flag manipulation and execution.

Security SummaryAI

PackageKit, a D-Bus abstraction layer for cross-distro and cross-architecture package management, in versions 1.0.2 through 1.3.4, contains a time-of-check time-of-use (TOCTOU) race condition on transaction flags in src/pk-transaction.c. This vulnerability (CVE-2026-41651, CVSS 8.8; AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, CWE-367) allows unprivileged users to install packages as root, enabling local privilege escalation. The flaw arises from three bugs: an unconditional flag overwrite in InstallFiles() at line 4036, a silent rejection of backward state transitions at lines 873–882 that leaves corrupted flags intact, and a late flag read at dispatch time in the scheduler's idle callback at lines 2273–2277.

A local unprivileged user can exploit this race condition to install arbitrary RPM packages as root without authentication, including executing RPM scriptlets. By calling InstallFiles() after initial authorization but while the transaction is in a RUNNING state, the attacker overwrites cached_transaction_flags with their supplied values. The state machine discards any illegal backward transitions silently, allowing the transaction to proceed with the attacker's flags, which are then read and applied at execution time by the backend.

The issue is addressed in PackageKit version 1.3.5. Security practitioners should upgrade to this version or later. Additional details are available in the GitHub security advisory at GHSA-f55j-vvr9-69xv and a technical analysis at github.security.telekom.com/2026/04/pack2theroot-linux-local-privilege-escalation.html, with affected code referenced in the PackageKit repository.

Details

CWE(s): CWE-367

Affected Products

packagekit project

packagekit

1.0.2 — 1.3.5

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

The TOCTOU race condition in PackageKit allows unprivileged local users to install arbitrary RPM packages and execute scriptlets as root, directly enabling exploitation for local privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/PackageKit/PackageKit/blob/04057883189efa225a7c785591aa87cb299782f8/src/pk-transaction.c#L2273-L2277
Product · security-advisories@github.com
https://github.com/PackageKit/PackageKit/blob/04057883189efa225a7c785591aa87cb299782f8/src/pk-transaction.c#L4036
Product · security-advisories@github.com
https://github.com/PackageKit/PackageKit/blob/04057883189efa225a7c785591aa87cb299782f8/src/pk-transaction.c#L873-L882
Product · security-advisories@github.com
https://github.com/PackageKit/PackageKit/security/advisories/GHSA-f55j-vvr9-69xv
Exploit, Vendor Advisory · security-advisories@github.com
https://github.security.telekom.com/2026/04/pack2theroot-linux-local-privilege-escalation.html
Exploit, Third Party Advisory · security-advisories@github.com
http://www.openwall.com/lists/oss-security/2026/04/22/6
Mailing List, Patch, Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108