Perceptive Security
SOC/SIEM Consultancy
PackageKit is a a D-Bus abstraction layer that allows the user to manage packages in a secure way using a cross-distro, cross-architecture API. PackageKit betwe…
Published:
21 april 2026 om 22:00:00
Alert date:
22 april 2026 om 22:11:22
Source:
nvd.nist.gov
Operating Systems, Supply Chain & Dependencies
PackageKit versions 1.0.2 through 1.3.4 contain a time-of-check time-of-use (TOCTOU) race condition vulnerability that allows unprivileged local users to install arbitrary RPM packages as root, leading to privilege escalation. The vulnerability involves three bugs in transaction flag handling that allow attackers to overwrite cached transaction flags during execution. The flaw enables installation of packages and execution of RPM scriptlets without authentication. This critical vulnerability has been patched in version 1.3.5.
Technical details
Mitigation steps:
Affected products:
PackageKit
Related links:
https://nvd.nist.gov/vuln/detail/CVE-2026-41651
https://github.com/PackageKit/PackageKit/blob/04057883189efa225a7c785591aa87cb299782f8/src/pk-transaction.c#L2273-L2277
https://github.com/PackageKit/PackageKit/blob/04057883189efa225a7c785591aa87cb299782f8/src/pk-transaction.c#L4036
https://github.com/PackageKit/PackageKit/blob/04057883189efa225a7c785591aa87cb299782f8/src/pk-transaction.c#L873-L882
https://github.com/PackageKit/PackageKit/security/advisories/GHSA-f55j-vvr9-69xv
https://github.security.telekom.com/2026/04/pack2theroot-linux-local-privilege-escalation.html
http://www.openwall.com/lists/oss-security/2026/04/22/6
Related CVE's:
Related threat actors:
IOC's:
This article was created with the assistance of AI technology by Perceptive.