PatchSiren

PackageKit CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH PackageKit CVE published 2026-04-22

CVE-2026-41651

CVE-2026-41651 is a high-severity vulnerability in PackageKit, a D-Bus abstraction layer for package management. A local unprivileged user can exploit a TOCTOU (time-of-check time-of-use) race condition on transaction flags to install packages as root, leading to local privilege escalation. The vulnerability exists in PackageKit versions between and including 1.0.2 and 1.3.4, and is patched in version 1.3 [truncated]