CVE-2026-41651

Name of the Vulnerable Software and Affected Versions PackageKit versions 1.0.2 through 1.3.4

Description PackageKit, a D-Bus abstraction layer for secure package management across different distributions and architectures, contains a time-of-check time-of-use (TOCTOU) race condition. This issue allows a local unprivileged user to install arbitrary packages, including RPM packages and their associated scriptlets, without authentication, leading to local privilege escalation and full root access. The flaw is caused by a race condition on the transaction->cached transaction flags variable combined with a state-machine guard that discards illegal backward transitions while leaving corrupted flags in place.

Technical details involve three bugs in src/pk-transaction.c:

Exploitation can be triggered via the pkcon install command and may result in an assertion failure and crash of the PackageKit daemon.

Recommendations Update PackageKit to version 1.3.5. For Ubuntu 16.04 LTS, 18.04 LTS, 20.04 LTS, and 26.04 LTS, update to the package versions specified in USN-8195-1, such as packagekit version 1.1.13-2ubuntu1.1+esm1. For Ubuntu 25.10, update packagekit to version 1.3.1-1ubuntu1.1. For Ubuntu 24.04 LTS, update packagekit to version 1.2.8-2ubuntu1.5. For Ubuntu 22.04 LTS, update packagekit to version 1.2.5-2ubuntu3.1.