PT-2026-34331 · Unknown+4 · Packagekit+4
Msatdt
·
Published
2026-04-08
·
Updated
2026-06-16
·
CVE-2026-41651
CVSS v3.1
8.8
High
| Vector | AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
PackageKit versions 1.0.2 through 1.3.4
Description
PackageKit, a D-Bus abstraction layer for secure package management across distributions, contains a time-of-check time-of-use (TOCTOU) race condition involving transaction flags. This flaw allows a local unprivileged user to bypass authorization controls and install arbitrary RPM packages, including the execution of RPM scriptlets, as root, leading to local privilege escalation. The issue, dubbed Pack2TheRoot, stems from three bugs in
src/pk-transaction.c:- The
InstallFiles()function unconditionally overwritestransaction->cached transaction flagswith caller-supplied flags without verifying if the transaction is already authorized or running. - The
pk transaction set state()function silently rejects backward state transitions (such asRUNNINGtoWAITING FOR AUTH), allowing the transaction to proceed with corrupted flags. - The scheduler's idle callback reads
transaction->cached transaction flagsat the time of dispatch rather than at the time of authorization.
Exploitation can be triggered via the
pkcon install command, which may execute without proper authentication under certain conditions, potentially causing an assertion failure and crash in the PackageKit daemon that bypasses security checks.Recommendations
Update PackageKit to version 1.3.5.
As a temporary workaround, restrict access to the
pkcon install command for unprivileged users to minimize the risk of exploitation.Exploit
Fix
LPE
Time Of Check To Time Of Use
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Linuxmint
Packagekit
Red Os
Rocky Linux
Ubuntu