PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-41651 PackageKit CVE debrief

CVE-2026-41651 is a high-severity vulnerability in PackageKit, a D-Bus abstraction layer for package management. A local unprivileged user can exploit a TOCTOU (time-of-check time-of-use) race condition on transaction flags to install packages as root, leading to local privilege escalation. The vulnerability exists in PackageKit versions between and including 1.0.2 and 1.3.4, and is patched in version 1.3.5. An attacker can install arbitrary RPM packages as root, including executing RPM scriptlets, without authentication. The vulnerability is caused by three bugs in `src/pk-transaction.c`: unconditional flag overwrite, silent state-transition rejection, and late flag read at execution time.

Vendor
PackageKit
Product
Unknown
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-22
Original CVE updated
2026-06-30
Advisory published
2026-04-22
Advisory updated
2026-06-30

Who should care

System administrators and users of PackageKit-based systems should be aware of this vulnerability and take immediate action to patch vulnerable systems. This vulnerability can be exploited by a local unprivileged user, making it a significant concern for multi-user systems. Red Hat and other affected vendors have released errata and patches to address this issue.

Technical summary

The vulnerability is a TOCTOU race condition on `transaction->cached_transaction_flags` combined with a silent state-machine guard that discards illegal backward transitions while leaving corrupted flags in place. Three bugs exist in `src/pk-transaction.c`: unconditional flag overwrite, silent state-transition rejection, and late flag read at execution time. The unconditional flag overwrite writes caller-supplied flags to `transaction->cached_transaction_flags` without checking whether the transaction has already been authorized/started. The silent state-transition rejection silently discards backward state transitions but leaves corrupted flags in place. The late flag read at execution time reads cached_transaction_flags at dispatch time, not at authorization time.

Defensive priority

High priority should be given to patching vulnerable systems, as this vulnerability can be exploited by a local unprivileged user to gain root privileges. System administrators should apply patches or updates as soon as possible to prevent exploitation.

Recommended defensive actions

  • Apply patches or updates to PackageKit as soon as possible to prevent exploitation.
  • Review system logs for suspicious activity related to PackageKit transactions.
  • Implement additional monitoring and logging to detect potential exploitation attempts.
  • Restrict access to PackageKit and related services to authorized users only.
  • Consider implementing compensating controls, such as SELinux or other mandatory access control mechanisms, to limit the impact of a potential exploit.

Evidence notes

The CVE record and NVD detail provide information on the vulnerability, its impact, and affected versions. The source item URL provides additional information on the vulnerability and its exploitation. Red Hat and other affected vendors have released errata and patches to address this issue.

Official resources

This article was generated with AI assistance based on the supplied source corpus.