CVE-2026-41651: CVE-2026-41651: Local Privilege Escalation via TOCTOU Race Condition in PackageKit

CVE-2026-41651: Local Privilege Escalation via TOCTOU Race Condition in PackageKit

Vulnerability ID: CVE-2026-41651
CVSS Score: 8.8
Published: 2026-04-22

CVE-2026-41651, internally tracked as Pack2TheRoot, is a high-severity local privilege escalation vulnerability in the PackageKit daemon (packagekitd). The flaw involves a Time-of-Check Time-of-Use (TOCTOU) race condition in D-Bus transaction handling that permits local unprivileged users to bypass Polkit authorization and install arbitrary packages as root.

TL;DR

A TOCTOU race condition in PackageKit's transaction handling allows unprivileged local users to bypass Polkit authorization. Attackers can leverage this to install arbitrary malicious packages as root, leading to complete system compromise. Organizations must update PackageKit to version 1.3.5.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-367
• Attack Vector: Local
• CVSS Score: 8.8
• Impact: High (Privilege Escalation)
• Exploit Status: Proof of Concept
• KEV Status: Not Listed

Affected Systems

• Ubuntu Desktop 18.04, 24.04.4, 26.04
• Ubuntu Server 22.04 - 24.04
• Debian Desktop Trixie 13.4
• RockyLinux Desktop 10.1
• Fedora 43
• Red Hat Enterprise Linux (RHEL) via Cockpit
• PackageKit: >= 1.0.2, <= 1.3.4 (Fixed in: 1.3.5)

Code Analysis

Commit: 76cfb67

Fix transaction state check to prevent TOCTOU race condition

if (transaction->state != PK_TRANSACTION_STATE_NEW) {
    g_dbus_method_invocation_return_error (invocation,
                           PK_TRANSACTION_ERROR,
                           PK_TRANSACTION_ERROR_INVALID_STATE,
                           "cannot call %s on transaction %s: already in state %s",
                           method_name, transaction->tid,
                           pk_transaction_state_to_string (transaction->state));
    return;
}

Exploit Details

• Telekom Security Blog: Technical write-up and proof-of-concept overview

Mitigation Strategies

• Upgrade PackageKit to version 1.3.5 or later.
• Implement restrictive Polkit rules requiring root authentication for all PackageKit actions as a temporary workaround.
• Monitor system logs for specific assertion failure crashes indicative of exploitation attempts.
• Disable the PackageKit daemon entirely if local package management abstraction is not required.

Remediation Steps:

1. Identify all systems running vulnerable versions of PackageKit (1.0.2 through 1.3.4).
2. Deploy distribution-provided patches to update the PackageKit package to 1.3.5.
3. Restart the packagekitd service or reboot the system to apply changes.
4. Verify the patch application by checking the installed package version.

References

• Official Advisory
• Telekom Security Blog Writeup
• OSS-Security Mailing List Announcement
• Vulnerable Code Reference

---

Read the full report for CVE-2026-41651 on our website for more details including interactive diagrams and full exploit analysis.