8.8
HIGH CVSS 3.1
CVE-2026-41651
PackageKit vulnerable to TOCTOU Race on Transaction Flags leads to arbitrary package installation as root
Description

PackageKit is a a D-Bus abstraction layer that allows the user to manage packages in a secure way using a cross-distro, cross-architecture API. PackageKit between and including versions 1.0.2 and 1.3.4 is vulnerable to a time-of-check time-of-use (TOCTOU) race condition on transaction flags that allows unprivileged users to install packages as root and thus leads to a local privilege escalation. This is patched in version 1.3.5. A local unprivileged user can install arbitrary RPM packages as root, including executing RPM scriptlets, without authentication. The vulnerability is a TOCTOU race condition on `transaction->cached_transaction_flags` combined with a silent state-machine guard that discards illegal backward transitions while leaving corrupted flags in place. Three bugs exist in `src/pk-transaction.c`: 1. Unconditional flag overwrite (line 4036): `InstallFiles()` writes caller-supplied flags to `transaction->cached_transaction_flags` without checking whether the transaction has already been authorized/started. A second call blindly overwrites the flags even while the transaction is RUNNING. 2. Silent state-transition rejection (lines 873–882): `pk_transaction_set_state()` silently discards backward state transitions (e.g. `RUNNING` → `WAITING_FOR_AUTH`) but the flag overwrite at step 1 already happened. The transaction continues running with corrupted flags. 3. Late flag read at execution time (lines 2273–2277): The scheduler's idle callback reads cached_transaction_flags at dispatch time, not at authorization time. If flags were overwritten between authorization and execution, the backend sees the attacker's flags.

INFO

Published Date :

April 22, 2026, 2:17 p.m.

Last Modified :

July 15, 2026, 2:21 a.m.

Remotely Exploit :

No
Affected Products

The following products are affected by CVE-2026-41651 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Packagekit_project packagekit
CVSS Scores
The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.
Score Version Severity Vector Exploitability Score Impact Score Source
CVSS 134c704f-9b21-4f2e-91b3-4a467353bcc0
CVSS 3.1 HIGH [email protected]
CVSS 3.1 HIGH MITRE-CVE
CVSS 3.1 HIGH 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
Solution
Update PackageKit to version 1.3.5 or later to fix a TOCTOU race condition vulnerability.
  • Update PackageKit to version 1.3.5 or later.
  • Apply vendor-provided security patches for PackageKit.
  • Review transaction flag handling in PackageKit.
  • Ensure proper state management in PackageKit transactions.
Public PoC/Exploit Available at Github

CVE-2026-41651 has a 29 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2026-41651.

URL Resource
https://github.com/PackageKit/PackageKit/blob/04057883189efa225a7c785591aa87cb299782f8/src/pk-transaction.c#L2273-L2277 Product
https://github.com/PackageKit/PackageKit/blob/04057883189efa225a7c785591aa87cb299782f8/src/pk-transaction.c#L4036 Product
https://github.com/PackageKit/PackageKit/blob/04057883189efa225a7c785591aa87cb299782f8/src/pk-transaction.c#L873-L882 Product
https://github.com/PackageKit/PackageKit/security/advisories/GHSA-f55j-vvr9-69xv Exploit Vendor Advisory
https://github.security.telekom.com/2026/04/pack2theroot-linux-local-privilege-escalation.html Exploit Third Party Advisory
http://www.openwall.com/lists/oss-security/2026/04/22/6 Mailing List Patch Third Party Advisory
https://access.redhat.com/errata/RHSA-2026:11504
https://access.redhat.com/errata/RHSA-2026:11635
https://access.redhat.com/errata/RHSA-2026:17558
https://access.redhat.com/errata/RHSA-2026:17560
https://access.redhat.com/errata/RHSA-2026:17561
https://access.redhat.com/errata/RHSA-2026:18024
https://access.redhat.com/errata/RHSA-2026:18031
https://access.redhat.com/errata/RHSA-2026:18036
https://access.redhat.com/errata/RHSA-2026:19141
https://access.redhat.com/errata/RHSA-2026:19354
https://access.redhat.com/errata/RHSA-2026:19454
https://access.redhat.com/errata/RHSA-2026:19601
https://access.redhat.com/errata/RHSA-2026:22146
https://access.redhat.com/security/cve/CVE-2026-41651
https://bugzilla.redhat.com/show_bug.cgi?id=2460604
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-41651.json
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2026-41651 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2026-41651 weaknesses.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

None

Batchfile PowerShell Shell Go

Updated: 8 hours, 56 minutes ago
0 stars 0 fork 0 watcher
Born at : July 14, 2026, 7:29 a.m. This repo has been linked 7 different CVEs too.

A curated, terminal-native privilege escalation engine.

Python

Updated: 1 week, 5 days ago
0 stars 0 fork 0 watcher
Born at : July 4, 2026, 10:44 p.m. This repo has been linked 3 different CVEs too.

Full Weaponized LPE Toolkit 2026

exploit linux-privilege-escalation privilage-escalation rootkit toolkit

C

Updated: 1 week, 2 days ago
1 stars 0 fork 0 watcher
Born at : July 3, 2026, 2:19 p.m. This repo has been linked 19 different CVEs too.

Multi-architecture Linux privilege escalation toolkit with 19 pre-built and runtime-compilable exploits. Auto-detects kernel version, filters patched exploits, tries each until root.

ctf cybersecurity exploit gtfobins kernel-exploit linux penetration-testing privilege-escalation security

Makefile Shell C Go

Updated: 3 weeks, 5 days ago
90 stars 17 fork 17 watcher
Born at : May 21, 2026, 7:33 p.m. This repo has been linked 16 different CVEs too.

Exploit for CVE-2026-41651 - PackageKit TOCTOU Local Privilege Escalation (Pack2TheRoot)

local-privilege-escalation lpe packagekit cve-2026-41651 linux-exploit pack2theroot

C

Updated: 1 month, 3 weeks ago
0 stars 0 fork 0 watcher
Born at : May 20, 2026, 7:26 a.m. This repo has been linked 1 different CVEs too.

Checks your Linux kernel against known privilege escalation bugs and tells you what to do.

Shell Python

Updated: 2 months ago
0 stars 0 fork 0 watcher
Born at : May 16, 2026, 3:57 p.m. This repo has been linked 5 different CVEs too.

Read-only Linux host checker for supply-chain incident response, including vulnerable kernel posture, risky module state, and known developer-tooling persistence indicators

JavaScript PowerShell

Updated: 4 days, 1 hour ago
1 stars 0 fork 0 watcher
Born at : May 13, 2026, 10:54 p.m. This repo has been linked 45 different CVEs too.

KubeTrail(云迹) 是一个面向 Kubernetes 授权红队评估与防御验证的容器内态势感知、攻击面发现和 AI 辅助攻防编排工具

HTML TypeScript Go Shell C NSIS Vue CSS JavaScript PowerShell

Updated: 1 week, 6 days ago
17 stars 2 fork 2 watcher
Born at : May 12, 2026, 8:34 a.m. This repo has been linked 16 different CVEs too.

None

Python

Updated: 2 months ago
1 stars 0 fork 0 watcher
Born at : May 6, 2026, 7:39 a.m. This repo has been linked 1 different CVEs too.

None

Updated: 2 months, 1 week ago
0 stars 0 fork 0 watcher
Born at : May 6, 2026, 6:12 a.m. This repo has been linked 1 different CVEs too.

Linux 打靶常用工具整合套件 爱来自 ll ❤️

Makefile C Python Shell Assembly PHP

Updated: 1 week, 2 days ago
44 stars 9 fork 9 watcher
Born at : May 3, 2026, 12:13 p.m. This repo has been linked 13 different CVEs too.

Privilege Escalation Vulnerability in PackageKit (TOCTOU Race Condition)

Python Shell

Updated: 2 months, 1 week ago
0 stars 0 fork 0 watcher
Born at : May 3, 2026, 2:54 a.m. This repo has been linked 1 different CVEs too.

security scan and patch for linux system

Shell

Updated: 2 months, 1 week ago
0 stars 0 fork 0 watcher
Born at : May 2, 2026, 10:19 a.m. This repo has been linked 12 different CVEs too.

This is a repo containing a script to check whether a Linux system may be affected by Pack2TheRoot / CVE-2026-41651 by reviewing the PackageKit version, service status, changelog, and recent logs. It also offers to update the system, but only if the user explicitly confirms by typing yes. It is a defensive validation script, not an exploit.

Updated: 2 months, 2 weeks ago
0 stars 0 fork 0 watcher
Born at : April 30, 2026, 3 a.m. This repo has been linked 1 different CVEs too.

Poc for Pack2TheRoot CVE-2026-41651

Dockerfile Shell C Python

Updated: 2 months, 2 weeks ago
0 stars 0 fork 0 watcher
Born at : April 29, 2026, 3:40 p.m. This repo has been linked 1 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2026-41651 vulnerability anywhere in the article.

  • CybersecurityNews
Critical Pack2TheRoot Vulnerability Let Attackers Gain Root Access or Compromise the System

A high-severity privilege escalation vulnerability, dubbed Pack2TheRoot (CVE-2026-41651, CVSS 3.1: 8.8), has been publicly disclosed by Deutsche Telekom’s Red Team, affecting multiple major Linux dist ... Read more

Published Date: Apr 23, 2026 (2 months, 3 weeks ago)
  • CybersecurityNews
Apple Fixes Notification Privacy Flaw That Allowed FBI to Access Deleted Signal Messages

Apple released iOS 26.4.2 and iPadOS 26.4.2 on April 22, 2026, to patch a critical notification privacy vulnerability that allowed law enforcement to extract Signal message content from iPhones — even ... Read more

Published Date: Apr 23, 2026 (2 months, 3 weeks ago)
  • Daily CyberSecurity
Linux Privilege Escalation: “Pack2TheRoot” Flaw Impacts Major Distributions

A long-standing security flaw has been unearthed in a core component of the modern Linux desktop and server ecosystem. Known as Pack2TheRoot, this critical vulnerability resides in PackageKit, a D-Bus ... Read more

Published Date: Apr 23, 2026 (2 months, 3 weeks ago)

The following table lists the changes that have been made to the CVE-2026-41651 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • CVE Modified by 0b0ca135-0b70-47e7-9f44-1890c2a1c46c

    Jul. 15, 2026

    Action Type Old Value New Value
    Changed Affected [{'cpes': ['cpe:/o:redhat:rhel_els:7'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux Server (v. 7 ELS)', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/o:redhat:rhel_els:7'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux Server Optional (v. 7 ELS)', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/o:redhat:enterprise_linux_eus:10.0'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux AppStream EUS (v. 10.0)', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/o:redhat:enterprise_linux:10.2'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux AppStream (v. 10)', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/a:redhat:enterprise_linux:8::appstream'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux AppStream (v. 8)', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/a:redhat:rhel_aus:8.4::appstream'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux AppStream AUS (v.8.4)', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/a:redhat:rhel_eus_long_life:8.4::appstream'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/a:redhat:rhel_aus:8.6::appstream'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux AppStream AUS (v.8.6)', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/a:redhat:rhel_e4s:8.6::appstream'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux AppStream E4S (v.8.6)', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/a:redhat:rhel_tus:8.6::appstream'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux AppStream TUS (v.8.6)', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/a:redhat:rhel_e4s:8.8::appstream'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux AppStream E4S (v.8.8)', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/a:redhat:rhel_tus:8.8::appstream'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux AppStream TUS (v.8.8)', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/a:redhat:rhel_e4s:9.0::appstream'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux AppStream E4S (v.9.0)', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/a:redhat:rhel_e4s:9.2::appstream'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux AppStream E4S (v.9.2)', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/a:redhat:rhel_eus:9.4::appstream'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux AppStream EUS (v.9.4)', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/a:redhat:rhel_eus:9.6::appstream'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux AppStream EUS (v.9.6)', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/a:redhat:enterprise_linux:9::appstream'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux AppStream (v. 9)', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/o:redhat:enterprise_linux_eus:10.0'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/o:redhat:enterprise_linux:10.2'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/a:redhat:enterprise_linux:8::crb'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux CRB (v. 8)', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/a:redhat:rhel_eus:9.4::crb'], 'vendor': 'Red Hat', 'product': 'Red Hat CodeReady Linux Builder EUS (v.9.4)', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/a:redhat:rhel_eus:9.6::crb'], 'vendor': 'Red Hat', 'product': 'Red Hat CodeReady Linux Builder EUS (v.9.6)', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/a:redhat:enterprise_linux:9::crb'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/o:redhat:enterprise_linux:6'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux 6', 'defaultStatus': 'unaffected'}, {'cpes': ['cpe:/o:redhat:enterprise_linux:7'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux 7', 'defaultStatus': 'unaffected'}] [{'cpes': ['cpe:/o:redhat:enterprise_linux:10.2'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux 10', 'versions': [{'status': 'unaffected', 'version': '0:1.2.8-8.el10_2', 'lessThan': '*', 'versionType': 'rpm'}], 'packageName': 'PackageKit', 'collectionURL': 'https://access.redhat.com/downloads/content/package-browser/', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/o:redhat:enterprise_linux_eus:10.0'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux 10.0 Extended Update Support', 'versions': [{'status': 'unaffected', 'version': '0:1.2.8-8.el10_0.1', 'lessThan': '*', 'versionType': 'rpm'}], 'packageName': 'PackageKit', 'collectionURL': 'https://access.redhat.com/downloads/content/package-browser/', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/o:redhat:rhel_els:7'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux 7 Extended Lifecycle Support', 'versions': [{'status': 'unaffected', 'version': '0:1.1.10-2.el7_9.1', 'lessThan': '*', 'versionType': 'rpm'}], 'packageName': 'PackageKit', 'collectionURL': 'https://access.redhat.com/downloads/content/package-browser/', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/a:redhat:enterprise_linux:8'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux 8', 'versions': [{'status': 'unaffected', 'version': '0:1.1.12-8.el8_10', 'lessThan': '*', 'versionType': 'rpm'}], 'packageName': 'PackageKit', 'collectionURL': 'https://access.redhat.com/downloads/content/package-browser/', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/a:redhat:rhel_aus:8.4'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support', 'versions': [{'status': 'unaffected', 'version': '0:1.1.12-6.el8_4.1', 'lessThan': '*', 'versionType': 'rpm'}], 'packageName': 'PackageKit', 'collectionURL': 'https://access.redhat.com/downloads/content/package-browser/', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/a:redhat:rhel_eus_long_life:8.4'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On', 'versions': [{'status': 'unaffected', 'version': '0:1.1.12-6.el8_4.1', 'lessThan': '*', 'versionType': 'rpm'}], 'packageName': 'PackageKit', 'collectionURL': 'https://access.redhat.com/downloads/content/package-browser/', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/a:redhat:rhel_aus:8.6'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support', 'versions': [{'status': 'unaffected', 'version': '0:1.1.12-6.el8_6.1', 'lessThan': '*', 'versionType': 'rpm'}], 'packageName': 'PackageKit', 'collectionURL': 'https://access.redhat.com/downloads/content/package-browser/', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/a:redhat:rhel_tus:8.6'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux 8.6 Telecommunications Update Service', 'versions': [{'status': 'unaffected', 'version': '0:1.1.12-6.el8_6.1', 'lessThan': '*', 'versionType': 'rpm'}], 'packageName': 'PackageKit', 'collectionURL': 'https://access.redhat.com/downloads/content/package-browser/', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/a:redhat:rhel_e4s:8.6'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions', 'versions': [{'status': 'unaffected', 'version': '0:1.1.12-6.el8_6.1', 'lessThan': '*', 'versionType': 'rpm'}], 'packageName': 'PackageKit', 'collectionURL': 'https://access.redhat.com/downloads/content/package-browser/', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/a:redhat:rhel_tus:8.8'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux 8.8 Telecommunications Update Service', 'versions': [{'status': 'unaffected', 'version': '0:1.1.12-6.el8_8.1', 'lessThan': '*', 'versionType': 'rpm'}], 'packageName': 'PackageKit', 'collectionURL': 'https://access.redhat.com/downloads/content/package-browser/', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/a:redhat:rhel_e4s:8.8'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions', 'versions': [{'status': 'unaffected', 'version': '0:1.1.12-6.el8_8.1', 'lessThan': '*', 'versionType': 'rpm'}], 'packageName': 'PackageKit', 'collectionURL': 'https://access.redhat.com/downloads/content/package-browser/', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/a:redhat:enterprise_linux:9'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux 9', 'versions': [{'status': 'unaffected', 'version': '0:1.2.6-2.el9_7', 'lessThan': '*', 'versionType': 'rpm'}, {'status': 'unaffected', 'version': '0:1.2.6-2.el9_8', 'lessThan': '*', 'versionType': 'rpm'}], 'packageName': 'PackageKit', 'collectionURL': 'https://access.redhat.com/downloads/content/package-browser/', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/a:redhat:rhel_e4s:9.0'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions', 'versions': [{'status': 'unaffected', 'version': '0:1.2.4-2.el9_0.1', 'lessThan': '*', 'versionType': 'rpm'}], 'packageName': 'PackageKit', 'collectionURL': 'https://access.redhat.com/downloads/content/package-browser/', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/a:redhat:rhel_e4s:9.2'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions', 'versions': [{'status': 'unaffected', 'version': '0:1.2.4-2.el9_2.1', 'lessThan': '*', 'versionType': 'rpm'}], 'packageName': 'PackageKit', 'collectionURL': 'https://access.redhat.com/downloads/content/package-browser/', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/a:redhat:rhel_eus:9.4'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux 9.4 Extended Update Support', 'versions': [{'status': 'unaffected', 'version': '0:1.2.6-1.el9_4.1', 'lessThan': '*', 'versionType': 'rpm'}], 'packageName': 'PackageKit', 'collectionURL': 'https://access.redhat.com/downloads/content/package-browser/', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/a:redhat:rhel_eus:9.6'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux 9.6 Extended Update Support', 'versions': [{'status': 'unaffected', 'version': '0:1.2.6-1.el9_6.1', 'lessThan': '*', 'versionType': 'rpm'}], 'packageName': 'PackageKit', 'collectionURL': 'https://access.redhat.com/downloads/content/package-browser/', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/o:redhat:enterprise_linux:6'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux 6', 'packageName': 'PackageKit', 'collectionURL': 'https://access.redhat.com/downloads/content/package-browser/', 'defaultStatus': 'unaffected'}, {'cpes': ['cpe:/o:redhat:enterprise_linux:7'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux 7', 'packageName': 'compat-PackageKit08', 'collectionURL': 'https://access.redhat.com/downloads/content/package-browser/', 'defaultStatus': 'unaffected'}]
  • CVE Modified by 0b0ca135-0b70-47e7-9f44-1890c2a1c46c

    Jun. 30, 2026

    Action Type Old Value New Value
    Added Affected [{'cpes': ['cpe:/o:redhat:rhel_els:7'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux Server (v. 7 ELS)', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/o:redhat:rhel_els:7'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux Server Optional (v. 7 ELS)', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/o:redhat:enterprise_linux_eus:10.0'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux AppStream EUS (v. 10.0)', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/o:redhat:enterprise_linux:10.2'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux AppStream (v. 10)', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/a:redhat:enterprise_linux:8::appstream'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux AppStream (v. 8)', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/a:redhat:rhel_aus:8.4::appstream'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux AppStream AUS (v.8.4)', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/a:redhat:rhel_eus_long_life:8.4::appstream'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/a:redhat:rhel_aus:8.6::appstream'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux AppStream AUS (v.8.6)', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/a:redhat:rhel_e4s:8.6::appstream'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux AppStream E4S (v.8.6)', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/a:redhat:rhel_tus:8.6::appstream'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux AppStream TUS (v.8.6)', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/a:redhat:rhel_e4s:8.8::appstream'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux AppStream E4S (v.8.8)', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/a:redhat:rhel_tus:8.8::appstream'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux AppStream TUS (v.8.8)', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/a:redhat:rhel_e4s:9.0::appstream'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux AppStream E4S (v.9.0)', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/a:redhat:rhel_e4s:9.2::appstream'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux AppStream E4S (v.9.2)', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/a:redhat:rhel_eus:9.4::appstream'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux AppStream EUS (v.9.4)', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/a:redhat:rhel_eus:9.6::appstream'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux AppStream EUS (v.9.6)', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/a:redhat:enterprise_linux:9::appstream'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux AppStream (v. 9)', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/o:redhat:enterprise_linux_eus:10.0'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/o:redhat:enterprise_linux:10.2'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/a:redhat:enterprise_linux:8::crb'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux CRB (v. 8)', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/a:redhat:rhel_eus:9.4::crb'], 'vendor': 'Red Hat', 'product': 'Red Hat CodeReady Linux Builder EUS (v.9.4)', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/a:redhat:rhel_eus:9.6::crb'], 'vendor': 'Red Hat', 'product': 'Red Hat CodeReady Linux Builder EUS (v.9.6)', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/a:redhat:enterprise_linux:9::crb'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)', 'defaultStatus': 'affected'}, {'cpes': ['cpe:/o:redhat:enterprise_linux:6'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux 6', 'defaultStatus': 'unaffected'}, {'cpes': ['cpe:/o:redhat:enterprise_linux:7'], 'vendor': 'Red Hat', 'product': 'Red Hat Enterprise Linux 7', 'defaultStatus': 'unaffected'}]
    Added CVSS V3.1 AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
    Added CWE CWE-367
    Added Reference https://access.redhat.com/errata/RHSA-2026:11504
    Added Reference https://access.redhat.com/errata/RHSA-2026:11635
    Added Reference https://access.redhat.com/errata/RHSA-2026:17558
    Added Reference https://access.redhat.com/errata/RHSA-2026:17560
    Added Reference https://access.redhat.com/errata/RHSA-2026:17561
    Added Reference https://access.redhat.com/errata/RHSA-2026:18024
    Added Reference https://access.redhat.com/errata/RHSA-2026:18031
    Added Reference https://access.redhat.com/errata/RHSA-2026:18036
    Added Reference https://access.redhat.com/errata/RHSA-2026:19141
    Added Reference https://access.redhat.com/errata/RHSA-2026:19354
    Added Reference https://access.redhat.com/errata/RHSA-2026:19454
    Added Reference https://access.redhat.com/errata/RHSA-2026:19601
    Added Reference https://access.redhat.com/errata/RHSA-2026:22146
    Added Reference https://access.redhat.com/security/cve/CVE-2026-41651
    Added Reference https://bugzilla.redhat.com/show_bug.cgi?id=2460604
    Added Reference https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-41651.json
  • CVE Modified by [email protected]

    Jun. 17, 2026

    Action Type Old Value New Value
    Added Affected [{'vendor': 'PackageKit', 'product': 'PackageKit', 'versions': [{'status': 'affected', 'version': '>= 1.0.2, <= 1.3.4'}]}]
  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    Jun. 17, 2026

    Action Type Old Value New Value
    Added SSVC {'id': 'CVE-2026-41651', 'role': 'CISA Coordinator', 'options': [{'exploitation': 'none'}, {'automatable': 'no'}, {'technicalImpact': 'total'}], 'version': '2.0.3', 'timestamp': '2026-05-05T00:00:00+00:00'}
  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    May. 05, 2026

    Action Type Old Value New Value
    Removed Reference https://github.security.telekom.com/2026/04/pack2theroot-linux-local-privilege-escalation.html
    Removed Reference Type https://github.security.telekom.com/2026/04/pack2theroot-linux-local-privilege-escalation.html Types: Exploit, Third Party Advisory
  • Initial Analysis by [email protected]

    Apr. 24, 2026

    Action Type Old Value New Value
    Added CPE Configuration OR *cpe:2.3:a:packagekit_project:packagekit:*:*:*:*:*:*:*:* versions from (including) 1.0.2 up to (excluding) 1.3.5
    Added Reference Type GitHub, Inc.: https://github.com/PackageKit/PackageKit/blob/04057883189efa225a7c785591aa87cb299782f8/src/pk-transaction.c#L2273-L2277 Types: Product
    Added Reference Type GitHub, Inc.: https://github.com/PackageKit/PackageKit/blob/04057883189efa225a7c785591aa87cb299782f8/src/pk-transaction.c#L4036 Types: Product
    Added Reference Type GitHub, Inc.: https://github.com/PackageKit/PackageKit/blob/04057883189efa225a7c785591aa87cb299782f8/src/pk-transaction.c#L873-L882 Types: Product
    Added Reference Type GitHub, Inc.: https://github.com/PackageKit/PackageKit/security/advisories/GHSA-f55j-vvr9-69xv Types: Exploit, Vendor Advisory
    Added Reference Type CVE: http://www.openwall.com/lists/oss-security/2026/04/22/6 Types: Mailing List, Patch, Third Party Advisory
    Added Reference Type GitHub, Inc.: https://github.security.telekom.com/2026/04/pack2theroot-linux-local-privilege-escalation.html Types: Exploit, Third Party Advisory
    Added Reference Type CISA-ADP: https://github.security.telekom.com/2026/04/pack2theroot-linux-local-privilege-escalation.html Types: Exploit, Third Party Advisory
  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    Apr. 22, 2026

    Action Type Old Value New Value
    Added Reference https://github.security.telekom.com/2026/04/pack2theroot-linux-local-privilege-escalation.html
  • CVE Modified by af854a3a-2127-422b-91ae-364da2661108

    Apr. 22, 2026

    Action Type Old Value New Value
    Added Reference http://www.openwall.com/lists/oss-security/2026/04/22/6
  • New CVE Received by [email protected]

    Apr. 22, 2026

    Action Type Old Value New Value
    Added Description PackageKit is a a D-Bus abstraction layer that allows the user to manage packages in a secure way using a cross-distro, cross-architecture API. PackageKit between and including versions 1.0.2 and 1.3.4 is vulnerable to a time-of-check time-of-use (TOCTOU) race condition on transaction flags that allows unprivileged users to install packages as root and thus leads to a local privilege escalation. This is patched in version 1.3.5. A local unprivileged user can install arbitrary RPM packages as root, including executing RPM scriptlets, without authentication. The vulnerability is a TOCTOU race condition on `transaction->cached_transaction_flags` combined with a silent state-machine guard that discards illegal backward transitions while leaving corrupted flags in place. Three bugs exist in `src/pk-transaction.c`: 1. Unconditional flag overwrite (line 4036): `InstallFiles()` writes caller-supplied flags to `transaction->cached_transaction_flags` without checking whether the transaction has already been authorized/started. A second call blindly overwrites the flags even while the transaction is RUNNING. 2. Silent state-transition rejection (lines 873–882): `pk_transaction_set_state()` silently discards backward state transitions (e.g. `RUNNING` → `WAITING_FOR_AUTH`) but the flag overwrite at step 1 already happened. The transaction continues running with corrupted flags. 3. Late flag read at execution time (lines 2273–2277): The scheduler's idle callback reads cached_transaction_flags at dispatch time, not at authorization time. If flags were overwritten between authorization and execution, the backend sees the attacker's flags.
    Added CVSS V3.1 AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
    Added CWE CWE-367
    Added Reference https://github.com/PackageKit/PackageKit/blob/04057883189efa225a7c785591aa87cb299782f8/src/pk-transaction.c#L2273-L2277
    Added Reference https://github.com/PackageKit/PackageKit/blob/04057883189efa225a7c785591aa87cb299782f8/src/pk-transaction.c#L4036
    Added Reference https://github.com/PackageKit/PackageKit/blob/04057883189efa225a7c785591aa87cb299782f8/src/pk-transaction.c#L873-L882
    Added Reference https://github.com/PackageKit/PackageKit/security/advisories/GHSA-f55j-vvr9-69xv
    Added Reference https://github.security.telekom.com/2026/04/pack2theroot-linux-local-privilege-escalation.html
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.