PT-2026-34331 · Unknown+4 · Packagekit+4
Msatdt
·
Published
2026-04-08
·
Updated
2026-06-30
·
CVE-2026-41651
CVSS v3.1
8.8
High
| Vector | AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
PackageKit versions 1.0.2 through 1.3.4
Description
PackageKit is a D-Bus abstraction layer used to manage packages across different distributions and architectures. A time-of-check time-of-use (TOCTOU) race condition exists in the handling of transaction flags, which allows a local unprivileged user to install arbitrary RPM packages as root without authentication, leading to local privilege escalation. This issue, dubbed Pack2TheRoot, can be triggered via the
pkcon install command.The flaw involves three bugs in
src/pk-transaction.c:- The
InstallFiles()function unconditionally overwritestransaction->cached transaction flagswith caller-supplied flags, even if the transaction is already running. - The
pk transaction set state()function silently rejects backward state transitions (such asRUNNINGtoWAITING FOR AUTH), allowing the transaction to proceed with corrupted flags. - The scheduler's idle callback reads
transaction->cached transaction flagsat dispatch time rather than authorization time, causing the backend to execute the attacker's flags.
Exploitation may cause an assertion failure in the PackageKit daemon, resulting in a crash that is visible in system logs.
Recommendations
Update PackageKit to version 1.3.5.
As a temporary mitigation, restrict the use of the
pkcon install command for unprivileged users.Exploit
Fix
LPE
Time Of Check To Time Of Use
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Linuxmint
Packagekit
Red Os
Rocky Linux
Ubuntu