ThreatLevelBeta
Fix Soon

CVE-2026-41651

Local Privilege Escalation in PackageKit
Loading...

Summary

PackageKit's D-Bus daemon has a time-of-check/time-of-use race in transaction flag handling. A local unprivileged user can re-invoke transaction methods on the same running transaction, overwrite cached flags after authorization, and make PackageKit perform package installs or removals as root. On default installations where PackageKit is enabled, this can lead to root compromise without entering a password.

Why Fix Soon?

5/6
No authentication required
Internal deployment
No user interaction needed
Exploitable in default configuration
Public PoC available
High impact vulnerability

Exploitation Details

Type
LPE (Local Privilege Escalation)
Is exploitable with default configuration?
Yes
Is authentication needed?
No
PoC / Exploit
Yes
github.comgithub.com
Impact

Gain root privileges and install or remove packages, including package scriptlets.

Privilege Escalation
Exploitation Requirements

None — vulnerable in default configuration

Exploitation Process

An attacker with local access starts a PackageKit transaction that reaches the authorization path, then immediately reuses the same transaction object to send another action call with attacker-controlled flags or payload data. Before the idle dispatcher executes the backend call, PackageKit keeps the overwritten cached flags, so the backend performs the package operation as root. Success is visible when the package installs, a scriptlet runs, or the attacker gets a root shell.

Detection Resources
Manual Detection
github.security.telekom.com
1
Script Detection
0
Scanner Detection
Tenable NessusRapid7 InsightVM
2

Affected Software

Vendor:PackageKit
ProductAffected Versions
PackageKit1.0.2 through 1.3.4
Description

D-Bus abstraction layer for Linux package management that lets applications refresh metadata, search repositories, install software, and remove packages through a cross-distribution API.

Deployment:Typically internal
|
Protocol:D-Bus
|
Ports:
Affected ComponentPackageKit daemon transaction handling in src/pk-transaction.c, especially InstallFiles flag caching and transaction state transitions before backend execution.

PackageKit daemon transaction handling in src/pk-transaction.c, especially InstallFiles flag caching and transaction state transitions before backend execution.

Enterprise UsageEstimated likelihood that this vendor/product is deployed in enterprise environments. AI-generated estimation based on market presence, product type and adoption signals — not exact data.
Very Low
Low
Medium
High
Very High
Vendor Size:Medium
Remediation
Workaround

Not available

Patch
Backport commit 76cfb675 to your current PackageKit build; it blocks re-invoking action methods on non-new transactions and prevents cached flags from being overwritten after authorization.

Backport commit 76cfb675 to your current PackageKit build; it blocks re-invoking action methods on non-new transactions and prevents cached flags from being overwritten after authorization.

github.com
Update
Upgrade to PackageKit 1.3.5 or later, or use a distro backport that includes the fix.

Upgrade to PackageKit 1.3.5 or later, or use a distro backport that includes the fix.

github.com
Threat Intelligence
EPSS Score0.2%

Probability of exploitation in the next 30 days

EPSS Percentile42%

Worse than 42% of all CVEs

Last updated: Loading...
CISAKEV
CISA KEV
Not Listed
Active Exploitation
No Evidence
Threat Actors

No known threat actors

Detection Rules1
Other
journalctl / packagekitd: alert on assertion failure or SIGABRT after transaction re-invocation; e.g. 'assertion failed: (!transaction->priv->emitted_finished)' in packagekit logs

NVD Data

Published: Loading...Modified: Loading...

Description Summary

PackageKit is a a D-Bus abstraction layer that allows the user to manage packages in a secure way using a cross-distro, cross-architecture API. PackageKit between and including versions 1.0.2 and 1.3.4 is vulnerable to a time-of-check time-of-use (TOCTOU) race condition on transaction flags that allows unprivileged users to install packages as root and thus leads to a local privilege escalation. This is patched in version 1.3.5. A local unprivileged user can install arbitrary RPM packages as root, including executing RPM scriptlets, without authentication. The vulnerability is a TOCTOU race condition on `transaction->cached_transaction_flags` combined with a silent state-machine guard that discards illegal backward transitions while leaving corrupted flags in place. Three bugs exist in `src/pk-transaction.c`: 1. Unconditional flag overwrite (line 4036): `InstallFiles()` writes caller-supplied flags to `transaction->cached_transaction_flags` without checking whether the transaction has already been authorized/started. A second call blindly overwrites the flags even while the transaction is RUNNING. 2. Silent state-transition rejection (lines 873–882): `pk_transaction_set_state()` silently discards backward state transitions (e.g. `RUNNING` → `WAITING_FOR_AUTH`) but the flag overwrite at step 1 already happened. The transaction continues running with corrupted flags. 3. Late flag read at execution time (lines 2273–2277): The scheduler's idle callback reads cached_transaction_flags at dispatch time, not at authorization time. If flags were overwritten between authorization and execution, the backend sees the attacker's flags.

CVSS Base Score

8.8
High

CVSS Vector (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

Attack Vector (AV)
Physical
Local
Adjacent
Network
Attack Complexity (AC)
High
Low
Privileges Required (PR)
High
Low
None
User Interaction (UI)
Required
None
Scope (S)
Unchanged
Changed
Confidentiality (C)
None
Low
High
Integrity (I)
None
Low
High
Availability (A)
None
Low
High
CWE:CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition
|
NVD:CVE-2026-41651
|
Version From:1.0.2
|
Version Upto:1.3.5

Affected Software (CPE) (1)

  • cpe:2.3:a:packagekit_project:packagekit:*:*:*:*:*:*:*:*

Sources

10
SourceArticle
github.comRace condition vulnerability leads to arbitrary package installation as root
nvd.nist.govCVE-2026-41651 Detail
www.openwall.comCVE-2026-41651: TOCTOU vulnerability in PackageKit <= 1.3.4 leads to local root exploit
github.comDo not allow re-invoking methods on non-new transactions
github.security.telekom.comPack2TheRoot (CVE-2026-41651): Cross-Distro Local Privilege Escalation Vulnerability
ubuntu.comCVE-2026-41651
github.comPack2TheRoot — CVE-2026-41651
github.comCVE-2026-41651 - Pack2TheRoot Vulnerability
www.tenable.comCVE-2026-41651
www.rapid7.comDebian: CVE-2026-41651: packagekit -- security update

Priority History

Planned FixLoading...

Initial analysis

Fix SoonLoading...

Elevated — new exploitation evidence confirmed

Planned FixLoading...

Reassessed to Planned Fix

Fix SoonLoading...

Elevated — new exploitation evidence confirmed