{"id":"CVE-2026-41651","summary":"PackageKit vulnerable to TOCTOU Race on Transaction Flags leads to arbitrary package installation as root","details":"PackageKit is a a D-Bus abstraction layer that allows the user to manage packages in a secure way using a cross-distro, cross-architecture API. PackageKit between and including versions 1.0.2 and 1.3.4 is vulnerable to a time-of-check time-of-use (TOCTOU) race condition on transaction flags that allows unprivileged users to install packages as root and thus leads to a local privilege escalation. This is patched in version 1.3.5.\n\nA local unprivileged user can install arbitrary RPM packages as root, including executing RPM scriptlets, without authentication. The vulnerability is a TOCTOU race condition on `transaction-\u003ecached_transaction_flags`  combined with a silent state-machine guard that discards illegal backward transitions while leaving corrupted flags in place. Three bugs exist in `src/pk-transaction.c`:\n1. Unconditional flag overwrite (line 4036): `InstallFiles()` writes caller-supplied flags to `transaction-\u003ecached_transaction_flags` without checking whether the transaction has already been  authorized/started. A second call blindly overwrites the flags even while the transaction is RUNNING.\n2. Silent state-transition rejection (lines 873–882): `pk_transaction_set_state()` silently discards backward state transitions (e.g. `RUNNING` → `WAITING_FOR_AUTH`) but the flag overwrite at step 1 already happened. The transaction continues running with corrupted flags.\n3. Late flag read at execution time (lines 2273–2277): The scheduler's idle callback reads cached_transaction_flags at dispatch time, not at authorization time. If flags were overwritten between authorization and execution, the backend sees the attacker's flags.","aliases":["GHSA-f55j-vvr9-69xv"],"modified":"2026-05-01T18:44:37.595395729Z","published":"2026-04-22T13:11:40.174Z","related":["ALSA-2026:11504","ALSA-2026:11635","SUSE-SU-2026:1619-1","openSUSE-SU-2026:10629-1","openSUSE-SU-2026:20646-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41651.json","cwe_ids":["CWE-367"],"cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2026/04/22/6"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41651.json"},{"type":"WEB","url":"https://github.com/PackageKit/PackageKit/blob/04057883189efa225a7c785591aa87cb299782f8/src/pk-transaction.c#L2273-L2277"},{"type":"WEB","url":"https://github.com/PackageKit/PackageKit/blob/04057883189efa225a7c785591aa87cb299782f8/src/pk-transaction.c#L4036"},{"type":"WEB","url":"https://github.com/PackageKit/PackageKit/blob/04057883189efa225a7c785591aa87cb299782f8/src/pk-transaction.c#L873-L882"},{"type":"ADVISORY","url":"https://github.com/PackageKit/PackageKit/security/advisories/GHSA-f55j-vvr9-69xv"},{"type":"WEB","url":"https://github.security.telekom.com/2026/04/pack2theroot-linux-local-privilege-escalation.html"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41651"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/packagekit/packagekit","events":[{"introduced":"8b16f323f7c465914c8d67c03f29d72820cb12c7"},{"last_affected":"aa8e994711b1debd485e8d2e06f5ff4ac3494a65"}],"database_specific":{"extracted_events":[{"introduced":"1.0.2"},{"last_affected":"1.3.4"}],"source":"AFFECTED_FIELD"}}],"versions":["PACKAGEKIT_1_0_10","PACKAGEKIT_1_0_11","PACKAGEKIT_1_0_2","PACKAGEKIT_1_0_3","PACKAGEKIT_1_0_4","PACKAGEKIT_1_0_5","PACKAGEKIT_1_0_6","PACKAGEKIT_1_0_7","PACKAGEKIT_1_0_8","PACKAGEKIT_1_0_9","PACKAGEKIT_1_1_0","PACKAGEKIT_1_1_1","PACKAGEKIT_1_1_10","PACKAGEKIT_1_1_11","PACKAGEKIT_1_1_12","PACKAGEKIT_1_1_13","PACKAGEKIT_1_1_2","PACKAGEKIT_1_1_3","PACKAGEKIT_1_1_5","PACKAGEKIT_1_1_6","PACKAGEKIT_1_1_7","PACKAGEKIT_1_1_8","PACKAGEKIT_1_1_9","PACKAGEKIT_1_2_0","PACKAGEKIT_1_2_1","PACKAGEKIT_1_2_2","PACKAGEKIT_1_2_3","PACKAGEKIT_1_2_4","PACKAGEKIT_1_2_5","v1.2.6","v1.2.7","v1.2.8","v1.3.0","v1.3.1","v1.3.2","v1.3.3","v1.3.4"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-41651.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}]}