CVE-2026-41651
PackageKit vulnerable to TOCTOU Race on Transaction Flags leads to arbitrary package installation as root
Description
PackageKit is a a D-Bus abstraction layer that allows the user to manage packages in a secure way using a cross-distro, cross-architecture API. PackageKit between and including versions 1.0.2 and 1.3.4 is vulnerable to a time-of-check time-of-use (TOCTOU) race condition on transaction flags that allows unprivileged users to install packages as root and thus leads to a local privilege escalation. This is patched in version 1.3.5. A local unprivileged user can install arbitrary RPM packages as root, including executing RPM scriptlets, without authentication. The vulnerability is a TOCTOU race condition on `transaction->cached_transaction_flags` combined with a silent state-machine guard that discards illegal backward transitions while leaving corrupted flags in place. Three bugs exist in `src/pk-transaction.c`: 1. Unconditional flag overwrite (line 4036): `InstallFiles()` writes caller-supplied flags to `transaction->cached_transaction_flags` without checking whether the transaction has already been authorized/started. A second call blindly overwrites the flags even while the transaction is RUNNING. 2. Silent state-transition rejection (lines 873–882): `pk_transaction_set_state()` silently discards backward state transitions (e.g. `RUNNING` → `WAITING_FOR_AUTH`) but the flag overwrite at step 1 already happened. The transaction continues running with corrupted flags. 3. Late flag read at execution time (lines 2273–2277): The scheduler's idle callback reads cached_transaction_flags at dispatch time, not at authorization time. If flags were overwritten between authorization and execution, the backend sees the attacker's flags.
INFO
Published Date :
April 22, 2026, 2:17 p.m.
Last Modified :
May 5, 2026, 8:16 p.m.
Remotely Exploit :
No
Source :
[email protected]
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | HIGH | [email protected] | ||||
| CVSS 3.1 | HIGH | MITRE-CVE |
Solution
- Update PackageKit to version 1.3.5 or later.
- Apply vendor-provided security patches for PackageKit.
- Review transaction flag handling in PackageKit.
- Ensure proper state management in PackageKit transactions.
Public PoC/Exploit Available at Github
CVE-2026-41651 has a 21 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2026-41651.
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2026-41651 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2026-41651
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
None
Python
None
Linux 打靶常用工具整合套件 爱来自 ll ❤️ —— MazeSec Team
Makefile C Python Shell Assembly PHP
Privilege Escalation Vulnerability in PackageKit (TOCTOU Race Condition)
Python Shell
security scan and patch for linux system
Shell
This is a repo containing a script to check whether a Linux system may be affected by Pack2TheRoot / CVE-2026-41651 by reviewing the PackageKit version, service status, changelog, and recent logs. It also offers to update the system, but only if the user explicitly confirms by typing yes. It is a defensive validation script, not an exploit.
Poc for Pack2TheRoot CVE-2026-41651
Dockerfile Shell C Python
my own PoC for this LPE
C
CTF-style Docker lab for CVE-2026-41651 (Pack2TheRoot): PackageKit permissive-polkit local privilege escalation
Dockerfile Shell Makefile C
CVE-2026-41651 — PackageKit TOCTOU LPE
Python
CVE-2026-41651
Shell Python
None
C Python
Automated daily recon for everything new in cybersecurity. Scans 50+ sources every 24 hours.
bugbounty cve-tracker cybersecurity cybersecurity-news cybersecurity-tools exploit-development offensive-security pentesting red-team threat-intelligence
None
Makefile C Dockerfile Shell
Outils pour l'exploitation d'élévation de privilège Linux
Shell Python C Makefile C++
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-41651 vulnerability anywhere in the article.
-
CybersecurityNews
Critical Pack2TheRoot Vulnerability Let Attackers Gain Root Access or Compromise the System
A high-severity privilege escalation vulnerability, dubbed Pack2TheRoot (CVE-2026-41651, CVSS 3.1: 8.8), has been publicly disclosed by Deutsche Telekom’s Red Team, affecting multiple major Linux dist ... Read more
-
CybersecurityNews
Apple Fixes Notification Privacy Flaw That Allowed FBI to Access Deleted Signal Messages
Apple released iOS 26.4.2 and iPadOS 26.4.2 on April 22, 2026, to patch a critical notification privacy vulnerability that allowed law enforcement to extract Signal message content from iPhones — even ... Read more
-
Daily CyberSecurity
Linux Privilege Escalation: “Pack2TheRoot” Flaw Impacts Major Distributions
A long-standing security flaw has been unearthed in a core component of the modern Linux desktop and server ecosystem. Known as Pack2TheRoot, this critical vulnerability resides in PackageKit, a D-Bus ... Read more
The following table lists the changes that have been made to the
CVE-2026-41651 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
May. 05, 2026
Action Type Old Value New Value Removed Reference https://github.security.telekom.com/2026/04/pack2theroot-linux-local-privilege-escalation.html Removed Reference Type https://github.security.telekom.com/2026/04/pack2theroot-linux-local-privilege-escalation.html Types: Exploit, Third Party Advisory -
Initial Analysis by [email protected]
Apr. 24, 2026
Action Type Old Value New Value Added CPE Configuration OR *cpe:2.3:a:packagekit_project:packagekit:*:*:*:*:*:*:*:* versions from (including) 1.0.2 up to (excluding) 1.3.5 Added Reference Type GitHub, Inc.: https://github.com/PackageKit/PackageKit/blob/04057883189efa225a7c785591aa87cb299782f8/src/pk-transaction.c#L2273-L2277 Types: Product Added Reference Type GitHub, Inc.: https://github.com/PackageKit/PackageKit/blob/04057883189efa225a7c785591aa87cb299782f8/src/pk-transaction.c#L4036 Types: Product Added Reference Type GitHub, Inc.: https://github.com/PackageKit/PackageKit/blob/04057883189efa225a7c785591aa87cb299782f8/src/pk-transaction.c#L873-L882 Types: Product Added Reference Type GitHub, Inc.: https://github.com/PackageKit/PackageKit/security/advisories/GHSA-f55j-vvr9-69xv Types: Exploit, Vendor Advisory Added Reference Type CVE: http://www.openwall.com/lists/oss-security/2026/04/22/6 Types: Mailing List, Patch, Third Party Advisory Added Reference Type GitHub, Inc.: https://github.security.telekom.com/2026/04/pack2theroot-linux-local-privilege-escalation.html Types: Exploit, Third Party Advisory Added Reference Type CISA-ADP: https://github.security.telekom.com/2026/04/pack2theroot-linux-local-privilege-escalation.html Types: Exploit, Third Party Advisory -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Apr. 22, 2026
Action Type Old Value New Value Added Reference https://github.security.telekom.com/2026/04/pack2theroot-linux-local-privilege-escalation.html -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Apr. 22, 2026
Action Type Old Value New Value Added Reference http://www.openwall.com/lists/oss-security/2026/04/22/6 -
New CVE Received by [email protected]
Apr. 22, 2026
Action Type Old Value New Value Added Description PackageKit is a a D-Bus abstraction layer that allows the user to manage packages in a secure way using a cross-distro, cross-architecture API. PackageKit between and including versions 1.0.2 and 1.3.4 is vulnerable to a time-of-check time-of-use (TOCTOU) race condition on transaction flags that allows unprivileged users to install packages as root and thus leads to a local privilege escalation. This is patched in version 1.3.5. A local unprivileged user can install arbitrary RPM packages as root, including executing RPM scriptlets, without authentication. The vulnerability is a TOCTOU race condition on `transaction->cached_transaction_flags` combined with a silent state-machine guard that discards illegal backward transitions while leaving corrupted flags in place. Three bugs exist in `src/pk-transaction.c`: 1. Unconditional flag overwrite (line 4036): `InstallFiles()` writes caller-supplied flags to `transaction->cached_transaction_flags` without checking whether the transaction has already been authorized/started. A second call blindly overwrites the flags even while the transaction is RUNNING. 2. Silent state-transition rejection (lines 873–882): `pk_transaction_set_state()` silently discards backward state transitions (e.g. `RUNNING` → `WAITING_FOR_AUTH`) but the flag overwrite at step 1 already happened. The transaction continues running with corrupted flags. 3. Late flag read at execution time (lines 2273–2277): The scheduler's idle callback reads cached_transaction_flags at dispatch time, not at authorization time. If flags were overwritten between authorization and execution, the backend sees the attacker's flags. Added CVSS V3.1 AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Added CWE CWE-367 Added Reference https://github.com/PackageKit/PackageKit/blob/04057883189efa225a7c785591aa87cb299782f8/src/pk-transaction.c#L2273-L2277 Added Reference https://github.com/PackageKit/PackageKit/blob/04057883189efa225a7c785591aa87cb299782f8/src/pk-transaction.c#L4036 Added Reference https://github.com/PackageKit/PackageKit/blob/04057883189efa225a7c785591aa87cb299782f8/src/pk-transaction.c#L873-L882 Added Reference https://github.com/PackageKit/PackageKit/security/advisories/GHSA-f55j-vvr9-69xv Added Reference https://github.security.telekom.com/2026/04/pack2theroot-linux-local-privilege-escalation.html