D-Bus Abstraction Layer Vulnerability in PackageKit from Vendor PackageKit
CVE-2026-41651

8.8HIGH

Key Information:

Vendor

Packagekit

Status
Packagekit
Vendor
CVE Published:
22 April 2026

What is CVE-2026-41651?

A vulnerability exists in PackageKit, specifically in versions 1.0.2 to 1.3.4, allowing unprivileged users to exploit a time-of-check time-of-use (TOCTOU) race condition. This flaw enables attackers to manipulate transaction flags, facilitating the installation of arbitrary RPM packages as root without any authentication. The vulnerability arises due to three critical issues in the source code: improper handling of flag overwrites during transaction phases, silent rejection of state transitions that leave corrupted flags, and a late read of transaction flags leading to unauthorized access. This significant security risk has been patched in version 1.3.5.

Affected Version(s)

PackageKit >= 1.0.2, <= 1.3.4

References

https://github.com/PackageKit/PackageKit/security/advisor...
x_refsource_CONFIRM
https://github.com/PackageKit/PackageKit/blob/04057883189...
x_refsource_MISC
https://github.com/PackageKit/PackageKit/blob/04057883189...
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.