Description
PackageKit is a a D-Bus abstraction layer that allows the user to manage packages in a secure way using a cross-distro, cross-architecture API. PackageKit between and including versions 1.0.2 and 1.3.4 is vulnerable to a time-of-check time-of-use (TOCTOU) race condition on transaction flags that allows unprivileged users to install packages as root and thus leads to a local privilege escalation. This is patched in version 1.3.5.

A local unprivileged user can install arbitrary RPM packages as root, including executing RPM scriptlets, without authentication. The vulnerability is a TOCTOU race condition on `transaction->cached_transaction_flags` combined with a silent state-machine guard that discards illegal backward transitions while leaving corrupted flags in place. Three bugs exist in `src/pk-transaction.c`:
1. Unconditional flag overwrite (line 4036): `InstallFiles()` writes caller-supplied flags to `transaction->cached_transaction_flags` without checking whether the transaction has already been authorized/started. A second call blindly overwrites the flags even while the transaction is RUNNING.
2. Silent state-transition rejection (lines 873–882): `pk_transaction_set_state()` silently discards backward state transitions (e.g. `RUNNING` → `WAITING_FOR_AUTH`) but the flag overwrite at step 1 already happened. The transaction continues running with corrupted flags.
3. Late flag read at execution time (lines 2273–2277): The scheduler's idle callback reads cached_transaction_flags at dispatch time, not at authorization time. If flags were overwritten between authorization and execution, the backend sees the attacker's flags.
Published: 2026-04-22
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Local Privilege Escalation
Action: Apply Patch
AI Analysis

Impact

PackageKit contains a TOCTOU race on transaction flags that lets an unprivileged user overwrite the cached flags while a transaction is running; the unchecked flag overwrite, silent rejection of backward state transitions, and delayed flag read allow the attacker to set install flags that cause the package backend to install arbitrary RPMs with root privileges, executing any scriptlets contained in the package.

Affected Systems

The vulnerability affects PackageKit versions 1.0.2 through 1.3.4 on Linux distributions that use PackageKit as the D‑Bus abstraction layer for package management.

Risk and Exploitability

The flaw yields a CVSS score of 8.8, with no EPSS score available but the exploit is believed to be feasible because it requires only local access and no network communication; the vulnerability is not listed in the CISA KEV catalog, yet the local nature of the attack coupled with the high severity means that it should be addressed promptly on any systems running the affected PackageKit versions.

Generated by OpenCVE AI on April 22, 2026 at 15:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PackageKit to version 1.3.5 or later, which removes the race condition and the silent guard flaw.
  • If an upgrade is not immediately possible, reconfigure the D‑Bus permissions so that only privileged users can invoke install operations, effectively blocking unprivileged flag alterations.
  • Configure system audit rules to log any unusual D‑Bus method calls to pk-transaction or suspicious package install attempts, enabling rapid detection of attempted exploitation.

Generated by OpenCVE AI on April 22, 2026 at 15:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 24 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Packagekit Project
Packagekit Project packagekit
CPEs cpe:2.3:a:packagekit_project:packagekit:*:*:*:*:*:*:*:*
Vendors & Products Packagekit Project
Packagekit Project packagekit

Thu, 23 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 22 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
References

Wed, 22 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
Description PackageKit is a a D-Bus abstraction layer that allows the user to manage packages in a secure way using a cross-distro, cross-architecture API. PackageKit between and including versions 1.0.2 and 1.3.4 is vulnerable to a time-of-check time-of-use (TOCTOU) race condition on transaction flags that allows unprivileged users to install packages as root and thus leads to a local privilege escalation. This is patched in version 1.3.5. A local unprivileged user can install arbitrary RPM packages as root, including executing RPM scriptlets, without authentication. The vulnerability is a TOCTOU race condition on `transaction->cached_transaction_flags` combined with a silent state-machine guard that discards illegal backward transitions while leaving corrupted flags in place. Three bugs exist in `src/pk-transaction.c`: 1. Unconditional flag overwrite (line 4036): `InstallFiles()` writes caller-supplied flags to `transaction->cached_transaction_flags` without checking whether the transaction has already been authorized/started. A second call blindly overwrites the flags even while the transaction is RUNNING. 2. Silent state-transition rejection (lines 873–882): `pk_transaction_set_state()` silently discards backward state transitions (e.g. `RUNNING` → `WAITING_FOR_AUTH`) but the flag overwrite at step 1 already happened. The transaction continues running with corrupted flags. 3. Late flag read at execution time (lines 2273–2277): The scheduler's idle callback reads cached_transaction_flags at dispatch time, not at authorization time. If flags were overwritten between authorization and execution, the backend sees the attacker's flags.
Title PackageKit vulnerable to TOCTOU Race on Transaction Flags leads to arbitrary package installation as root
Weaknesses CWE-367
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Packagekit Project Packagekit
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-22T18:36:23.661Z

Reserved: 2026-04-21T23:58:43.802Z

Link: CVE-2026-41651

cve-icon Vulnrichment

Updated: 2026-04-22T17:21:17.120Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T14:17:04.617

Modified: 2026-04-24T13:43:37.347

Link: CVE-2026-41651

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-22T13:11:40Z

Links: CVE-2026-41651 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T15:15:16Z

Weaknesses