{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41651", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-21T23:58:43.802Z", "datePublished": "2026-04-22T13:11:40.174Z", "dateUpdated": "2026-04-22T17:21:17.120Z"}, "containers": {"cna": {"title": "PackageKit vulnerable to TOCTOU Race on Transaction Flags leads to arbitrary package installation as root", "problemTypes": [{"descriptions": [{"cweId": "CWE-367", "lang": "en", "description": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/PackageKit/PackageKit/security/advisories/GHSA-f55j-vvr9-69xv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/PackageKit/PackageKit/security/advisories/GHSA-f55j-vvr9-69xv"}, {"name": "https://github.com/PackageKit/PackageKit/blob/04057883189efa225a7c785591aa87cb299782f8/src/pk-transaction.c#L2273-L2277", "tags": ["x_refsource_MISC"], "url": "https://github.com/PackageKit/PackageKit/blob/04057883189efa225a7c785591aa87cb299782f8/src/pk-transaction.c#L2273-L2277"}, {"name": "https://github.com/PackageKit/PackageKit/blob/04057883189efa225a7c785591aa87cb299782f8/src/pk-transaction.c#L4036", "tags": ["x_refsource_MISC"], "url": "https://github.com/PackageKit/PackageKit/blob/04057883189efa225a7c785591aa87cb299782f8/src/pk-transaction.c#L4036"}, {"name": "https://github.com/PackageKit/PackageKit/blob/04057883189efa225a7c785591aa87cb299782f8/src/pk-transaction.c#L873-L882", "tags": ["x_refsource_MISC"], "url": "https://github.com/PackageKit/PackageKit/blob/04057883189efa225a7c785591aa87cb299782f8/src/pk-transaction.c#L873-L882"}, {"name": "https://github.security.telekom.com/2026/04/pack2theroot-linux-local-privilege-escalation.html", "tags": ["x_refsource_MISC"], "url": "https://github.security.telekom.com/2026/04/pack2theroot-linux-local-privilege-escalation.html"}], "affected": [{"vendor": "PackageKit", "product": "PackageKit", "versions": [{"version": ">= 1.0.2, <= 1.3.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-22T13:11:40.174Z"}, "descriptions": [{"lang": "en", "value": "PackageKit is a a D-Bus abstraction layer that allows the user to manage packages in a secure way using a cross-distro, cross-architecture API. PackageKit between and including versions 1.0.2 and 1.3.4 is vulnerable to a time-of-check time-of-use (TOCTOU) race condition on transaction flags that allows unprivileged users to install packages as root and thus leads to a local privilege escalation. This is patched in version 1.3.5.\n\nA local unprivileged user can install arbitrary RPM packages as root, including executing RPM scriptlets, without authentication. The vulnerability is a TOCTOU race condition on `transaction->cached_transaction_flags` combined with a silent state-machine guard that discards illegal backward transitions while leaving corrupted flags in place. Three bugs exist in `src/pk-transaction.c`:\n1. Unconditional flag overwrite (line 4036): `InstallFiles()` writes caller-supplied flags to `transaction->cached_transaction_flags` without checking whether the transaction has already been authorized/started. A second call blindly overwrites the flags even while the transaction is RUNNING.\n2. Silent state-transition rejection (lines 873\u2013882): `pk_transaction_set_state()` silently discards backward state transitions (e.g. `RUNNING` \u2192 `WAITING_FOR_AUTH`) but the flag overwrite at step 1 already happened. The transaction continues running with corrupted flags.\n3. Late flag read at execution time (lines 2273\u20132277): The scheduler's idle callback reads cached_transaction_flags at dispatch time, not at authorization time. If flags were overwritten between authorization and execution, the backend sees the attacker's flags."}], "source": {"advisory": "GHSA-f55j-vvr9-69xv", "discovery": "UNKNOWN"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/22/6"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-22T17:21:17.120Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "PackageKit is a a D-Bus abstraction layer that allows the user to manage packages in a secure way using a cross-distro, cross-architecture API. PackageKit between and including versions 1.0.2 and 1.3.4 is vulnerable to a time-of-check time-of-use (TOCTOU) race condition on transaction flags that allows unprivileged users to install packages as root and thus leads to a local privilege escalation. This is patched in version 1.3.5.\n\nA local unprivileged user can install arbitrary RPM packages as root, including executing RPM scriptlets, without authentication. The vulnerability is a TOCTOU race condition on `transaction->cached_transaction_flags` combined with a silent state-machine guard that discards illegal backward transitions while leaving corrupted flags in place. Three bugs exist in `src/pk-transaction.c`:\n1. Unconditional flag overwrite (line 4036): `InstallFiles()` writes caller-supplied flags to `transaction->cached_transaction_flags` without checking whether the transaction has already been authorized/started. A second call blindly overwrites the flags even while the transaction is RUNNING.\n2. Silent state-transition rejection (lines 873\u2013882): `pk_transaction_set_state()` silently discards backward state transitions (e.g. `RUNNING` \u2192 `WAITING_FOR_AUTH`) but the flag overwrite at step 1 already happened. The transaction continues running with corrupted flags.\n3. Late flag read at execution time (lines 2273\u20132277): The scheduler's idle callback reads cached_transaction_flags at dispatch time, not at authorization time. If flags were overwritten between authorization and execution, the backend sees the attacker's flags."}], "id": "CVE-2026-41651", "lastModified": "2026-04-22T14:17:04.617", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.0, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-22T14:17:04.617", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/PackageKit/PackageKit/blob/04057883189efa225a7c785591aa87cb299782f8/src/pk-transaction.c#L2273-L2277"}, {"source": "security-advisories@github.com", "url": "https://github.com/PackageKit/PackageKit/blob/04057883189efa225a7c785591aa87cb299782f8/src/pk-transaction.c#L4036"}, {"source": "security-advisories@github.com", "url": "https://github.com/PackageKit/PackageKit/blob/04057883189efa225a7c785591aa87cb299782f8/src/pk-transaction.c#L873-L882"}, {"source": "security-advisories@github.com", "url": "https://github.com/PackageKit/PackageKit/security/advisories/GHSA-f55j-vvr9-69xv"}, {"source": "security-advisories@github.com", "url": "https://github.security.telekom.com/2026/04/pack2theroot-linux-local-privilege-escalation.html"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-367"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T15:01:48.659151+00:00", "value": {"mitigation_remediation": ["Upgrade PackageKit to version 1.3.5 or later, which removes the race condition and the silent guard flaw.", "If an upgrade is not immediately possible, reconfigure the D\u2011Bus permissions so that only privileged users can invoke install operations, effectively blocking unprivileged flag alterations.", "Configure system audit rules to log any unusual D\u2011Bus method calls to pk-transaction or suspicious package install attempts, enabling rapid detection of attempted exploitation."], "summary": {"action": "Apply Patch", "impact": "Local Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The vulnerability affects PackageKit versions 1.0.2 through 1.3.4 on Linux distributions that use PackageKit as the D\u2011Bus abstraction layer for package management.", "description_and_impact": "PackageKit contains a TOCTOU race on transaction flags that lets an unprivileged user overwrite the cached flags while a transaction is running; the unchecked flag overwrite, silent rejection of backward state transitions, and delayed flag read allow the attacker to set install flags that cause the package backend to install arbitrary RPMs with root privileges, executing any scriptlets contained in the package.", "risk_and_exploitability": "The flaw yields a CVSS score of 8.8, with no EPSS score available but the exploit is believed to be feasible because it requires only local access and no network communication; the vulnerability is not listed in the CISA KEV catalog, yet the local nature of the attack coupled with the high severity means that it should be addressed promptly on any systems running the affected PackageKit versions."}}}}, "created": "2026-04-22T15:15:16.414081+00:00", "updated": "2026-04-22T15:15:16.414091+00:00", "vendors": []}