PT-2026-34331 · Unknown+4 · Packagekit+4

Msatdt

·

Published

2026-04-08

·

Updated

2026-06-30

·

CVE-2026-41651

CVSS v3.1

8.8

High

VectorAV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions PackageKit versions 1.0.2 through 1.3.4
Description PackageKit is a D-Bus abstraction layer used to manage packages across different distributions and architectures. A time-of-check time-of-use (TOCTOU) race condition exists in the handling of transaction flags, which allows a local unprivileged user to install arbitrary RPM packages as root without authentication, leading to local privilege escalation. This issue, dubbed Pack2TheRoot, can be triggered via the pkcon install command.
The flaw involves three bugs in src/pk-transaction.c:
  1. The InstallFiles() function unconditionally overwrites transaction->cached transaction flags with caller-supplied flags, even if the transaction is already running.
  2. The pk transaction set state() function silently rejects backward state transitions (such as RUNNING to WAITING FOR AUTH), allowing the transaction to proceed with corrupted flags.
  3. The scheduler's idle callback reads transaction->cached transaction flags at dispatch time rather than authorization time, causing the backend to execute the attacker's flags.
Exploitation may cause an assertion failure in the PackageKit daemon, resulting in a crash that is visible in system logs.
Recommendations Update PackageKit to version 1.3.5. As a temporary mitigation, restrict the use of the pkcon install command for unprivileged users.

Exploit

Fix

LPE

Time Of Check To Time Of Use

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

ALSA-2026:11504
ALSA-2026:11635
ALSA-2026:19141
ALSA-2026:19354
BDU:2026-05781
CVE-2026-41651
GHSA-F55J-VVR9-69XV
OESA-2026-2140
OPENSUSE-SU-2026:10629-1
OPENSUSE-SU-2026:20646-1
RHSA-2026:11504
RHSA-2026:11635
RHSA-2026:17558
RHSA-2026:17560
RHSA-2026:17561
RHSA-2026:18024
RHSA-2026:18031
RHSA-2026:18036
RHSA-2026:19141
RHSA-2026:19354
RHSA-2026:19454
RHSA-2026:19601
RHSA-2026:22146
SUSE-SU-2026:1619-1
SUSE-SU-2026:1619-2
SUSE-SU-2026:1700-1
SUSE-SU-2026:1701-1
SUSE-SU-2026:1939-1
SUSE-SU-2026:21427-1
USN-8195-1
USN-8195-2
USN-8195-3

Affected Products

Linuxmint
Packagekit
Red Os
Rocky Linux
Ubuntu