Skip to main content

PackageKit EUVDEUVD-2026-24742

| CVE-2026-41651 HIGH
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
2026-04-22 GitHub_M
8.8
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
8.8 HIGH
qualitative

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Patch released
Apr 29, 2026 - 02:30 nvd
Patch available
Re-analysis Queued
Apr 22, 2026 - 18:22 vuln.today
cvss_changed
Analysis Generated
Apr 22, 2026 - 14:58 vuln.today
EUVD ID Assigned
Apr 22, 2026 - 14:00 euvd
EUVD-2026-24742
Analysis Generated
Apr 22, 2026 - 14:00 vuln.today
CVE Published
Apr 22, 2026 - 13:11 nvd
HIGH 8.8

DescriptionCVE.org

PackageKit is a a D-Bus abstraction layer that allows the user to manage packages in a secure way using a cross-distro, cross-architecture API. PackageKit between and including versions 1.0.2 and 1.3.4 is vulnerable to a time-of-check time-of-use (TOCTOU) race condition on transaction flags that allows unprivileged users to install packages as root and thus leads to a local privilege escalation. This is patched in version 1.3.5.

A local unprivileged user can install arbitrary RPM packages as root, including executing RPM scriptlets, without authentication. The vulnerability is a TOCTOU race condition on transaction->cached_transaction_flags combined with a silent state-machine guard that discards illegal backward transitions while leaving corrupted flags in place. Three bugs exist in src/pk-transaction.c:

  1. Unconditional flag overwrite (line 4036): InstallFiles() writes caller-supplied flags to transaction->cached_transaction_flags without checking whether the transaction has already been authorized/started. A second call blindly overwrites the flags even while the transaction is RUNNING.
  2. Silent state-transition rejection (lines 873-882): pk_transaction_set_state() silently discards backward state transitions (e.g. RUNNINGWAITING_FOR_AUTH) but the flag overwrite at step 1 already happened. The transaction continues running with corrupted flags.
  3. Late flag read at execution time (lines 2273-2277): The scheduler's idle callback reads cached_transaction_flags at dispatch time, not at authorization time. If flags were overwritten between authorization and execution, the backend sees the attacker's flags.

AnalysisAI

Local privilege escalation in PackageKit 1.0.2-1.3.4 allows unprivileged Linux users to install arbitrary RPM packages as root without authentication via TOCTOU race condition on transaction flags. The vulnerability exploits three synchronized bugs in the transaction state machine: unconditional flag overwrite, silent state-transition rejection that leaves corrupted flags, and late flag validation at dispatch time. Actively exploited in targeted attacks according to vendor advisory. CVSS 8.8 with scope change reflects full system compromise from low-privileged account. Patched in version 1.3.5.

Technical ContextAI

PackageKit is a D-Bus service (cpe:2.3:a:packagekit:packagekit) that provides cross-distribution package management with PolicyKit authorization integration. The vulnerability (CWE-367: Time-of-Check Time-of-Use Race Condition) exists in src/pk-transaction.c where transaction->cached_transaction_flags controls authorization decisions. The flaw involves three interacting code paths: InstallFiles() at line 4036 performs unconditional write to cached flags without checking transaction state; pk_transaction_set_state() at lines 873-882 silently rejects backward state transitions (e.g., RUNNING→WAITING_FOR_AUTH) while leaving the corrupted flags from step one intact; the scheduler's idle callback at lines 2273-2277 reads flags at dispatch time rather than authorization time. This timing window allows an attacker to pass initial PolicyKit authorization with safe flags, then overwrite them with privileged flags during the race between authorization and execution. The D-Bus interface makes the vulnerable InstallFiles() method callable by any local user, and the RPM backend executes package scriptlets as root based on the corrupted flags.

RemediationAI

Upgrade to PackageKit version 1.3.5 or later, which patches the TOCTOU race condition by fixing the three synchronized bugs in transaction state management. Vendor patch available through standard distribution update channels or from upstream source at https://github.com/PackageKit/PackageKit. For systems unable to immediately upgrade, implement these compensating controls with trade-offs: (1) Restrict D-Bus access to PackageKit's InstallFiles method via D-Bus policy configuration (effect: breaks legitimate package installation workflows for non-root users, may impact GUI package managers). (2) Disable PackageKit service entirely if not required (systemctl mask packagekit) and use distribution-native package managers with direct root authentication (effect: breaks desktop environment integration, automatic update notifications, and cross-platform package management tools). (3) Deploy mandatory access control policies (SELinux/AppArmor) preventing low-privileged processes from invoking PackageKit D-Bus methods (effect: requires custom policy development and testing per distribution). No effective network-layer mitigation exists due to local-only attack vector. Verify patch application by checking installed version: pkcon --version or rpm -q PackageKit (RHEL/Fedora) or dpkg -l packagekit (Debian/Ubuntu).

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Affected
SUSE Linux Enterprise Server 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected

Share

EUVD-2026-24742 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy