CVE-2026-41651
Modified Modified - Updated After Analysis
TOCTOU Race Condition in PackageKit Allows Local Root Installation

Publication date: 2026-04-22

Last updated on: 2026-05-05

Assigner: GitHub, Inc.

Description
PackageKit is a a D-Bus abstraction layer that allows the user to manage packages in a secure way using a cross-distro, cross-architecture API. PackageKit between and including versions 1.0.2 and 1.3.4 is vulnerable to a time-of-check time-of-use (TOCTOU) race condition on transaction flags that allows unprivileged users to install packages as root and thus leads to a local privilege escalation. This is patched in version 1.3.5. A local unprivileged user can install arbitrary RPM packages as root, including executing RPM scriptlets, without authentication. The vulnerability is a TOCTOU race condition on `transaction->cached_transaction_flags` combined with a silent state-machine guard that discards illegal backward transitions while leaving corrupted flags in place. Three bugs exist in `src/pk-transaction.c`: 1. Unconditional flag overwrite (line 4036): `InstallFiles()` writes caller-supplied flags to `transaction->cached_transaction_flags` without checking whether the transaction has already been authorized/started. A second call blindly overwrites the flags even while the transaction is RUNNING. 2. Silent state-transition rejection (lines 873–882): `pk_transaction_set_state()` silently discards backward state transitions (e.g. `RUNNING` β†’ `WAITING_FOR_AUTH`) but the flag overwrite at step 1 already happened. The transaction continues running with corrupted flags. 3. Late flag read at execution time (lines 2273–2277): The scheduler's idle callback reads cached_transaction_flags at dispatch time, not at authorization time. If flags were overwritten between authorization and execution, the backend sees the attacker's flags.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-05-05
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-41651
EUVD
EUVD-2026-24742
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
packagekit_project packagekit From 1.0.2 (inc) to 1.3.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

CVE-2026-41651 is a high-severity local privilege escalation vulnerability that allows unprivileged users to gain root access and install arbitrary packages without authentication. This results in a full loss of confidentiality, integrity, and availability of the affected system.

Such a compromise can severely impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over access to sensitive data and system integrity. Unauthorized root access could lead to data breaches, unauthorized data modification, and disruption of services, all of which violate these regulatory requirements.

Therefore, organizations using vulnerable versions of PackageKit (1.0.2 through 1.3.4) risk non-compliance due to potential unauthorized access and control over protected data and systems.

Executive Summary

This vulnerability exists in PackageKit versions 1.0.2 through 1.3.4 and is a time-of-check time-of-use (TOCTOU) race condition involving transaction flags. It allows an unprivileged local user to install arbitrary RPM packages as root without authentication.

The issue arises because the software overwrites transaction flags without proper checks, silently rejects backward state transitions while leaving corrupted flags in place, and reads these corrupted flags at execution time instead of authorization time. This combination enables an attacker to escalate privileges locally by installing packages with root permissions.

Impact Analysis

This vulnerability can lead to local privilege escalation, allowing an unprivileged user to gain root access on the affected system.

An attacker exploiting this flaw can install arbitrary RPM packages as root, including executing malicious RPM scriptlets, which can compromise the entire system's security and integrity.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade PackageKit to version 1.3.5 or later, where the issue is patched.

Until the upgrade is applied, restrict unprivileged user access to PackageKit to prevent exploitation of the local privilege escalation vulnerability.

Detection Guidance

You can detect the vulnerability by checking the installed PackageKit version and verifying if the PackageKit daemon is active on your system.

  • Check the installed PackageKit version using package manager commands such as:
  • `dpkg -l | grep -i packagekit` (for Debian/Ubuntu systems)
  • `rpm -qa | grep -i packagekit` (for RPM-based systems like Fedora, RHEL)
  • Check if the PackageKit daemon is running with commands like:
  • `systemctl status packagekit`
  • or
  • `pkmon`

Additionally, monitoring system logs for PackageKit daemon crashes or assertion failures can indicate exploitation attempts. Look for log entries similar to:

  • PackageKit:ERROR:../src/pk-transaction.c:514:pk_transaction_finished_emit: assertion failed: (!transaction->priv->emitted_finished) Bail out!

Systemd may automatically restart the daemon after such crashes, so repeated crashes or restarts in logs are a forensic indicator of compromise.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41651. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart