PackageKit Vulnerability Allows Local Privilege Escalation via TOCTOU Exploit
The National Vulnerability Database has detailed CVE-2026-41651, a critical vulnerability in PackageKit versions 1.0.2 through 1.3.4. This flaw stems from a time-of-check to time-of-use (TOCTOU) race condition affecting transaction flags. It allows unprivileged local users to install arbitrary RPM packages, including executing root-level scriptlets, by manipulating flags during the transaction process. This bypasses authentication and effectively grants root privileges.
The exploit exploits a flaw in how PackageKit handles transaction flags. Specifically, InstallFiles() unconditionally overwrites flags, even after authorization. A subsequent silent rejection of backward state transitions leaves corrupted flags in place. The scheduler then reads these manipulated flags at execution time, allowing the attacker’s arbitrary package installation to proceed as root. The National Vulnerability Database assigns this a CVSS score of 8.8 (HIGH).
Defenders should prioritize patching PackageKit to version 1.3.5 immediately. For systems that cannot be patched promptly, heightened monitoring for anomalous package installation activity and suspicious RPM scriptlet execution is crucial. Understanding the TOCTOU exploit vector is key for detecting exploitation attempts.
What This Means For You
- If your environment uses Linux distributions relying on PackageKit (versions 1.0.2-1.3.4), you must patch to version 1.3.5 immediately. This vulnerability allows any local, unprivileged user to gain root access, posing a severe risk to system integrity and data security. Audit systems for unauthorized package installations or scriptlet execution.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-41651 PackageKit Local Privilege Escalation via TOCTOU
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-41651 | Vulnerability | CVE-2026-41651 |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 22, 2026 at 17:17 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related Posts
CVE-2026-30139 — The AdvancedSearch Functionality Of Silverpeas Core Before V Cross-Site Scripting (XSS)
CVE-2026-30139 — A reflected cross-site scripting (XSS) vulnerability in the AdvancedSearch functionality of Silverpeas Core before version 6.4.6 allows attackers to execute arbitrary JavaScript in...
CVE-2025-58922 — ThemeFusion Avada Vulnerability
CVE-2025-58922 — Cross-Site Request Forgery (CSRF) vulnerability in ThemeFusion Avada allows Cross Site Request Forgery.This issue affects Avada: from n/a before 7.13.2.
CVE-2024-58344 — Cross-Site Scripting (XSS)
CVE-2024-58344 — Carbon Forum 5.9.0 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious JavaScript code through the Forum Name field...