CVE-2026-41651

Name of the Vulnerable Software and Affected Versions PackageKit versions 1.0.2 through 1.3.4

Description PackageKit contains a time-of-check time-of-use (TOCTOU) race condition involving transaction flags. This issue allows an unprivileged local user to install arbitrary RPM packages as root without authentication, including the execution of RPM scriptlets, leading to local privilege escalation. The flaw stems from three bugs in src/pk-transaction.c: the InstallFiles() function overwrites transaction->cached transaction flags without verifying if the transaction is already authorized or running; the pk transaction set state() function silently rejects backward state transitions while leaving corrupted flags intact; and the scheduler's idle callback reads cached transaction flags at dispatch time rather than authorization time.

Recommendations Update to version 1.3.5.