Vulnerability in Packagekit
CVE-2026-41651
PackageKit is a a D-Bus abstraction layer that allows the user to manage packages in a secure way using a cross-distro, cross-architecture API. PackageKit between and including versions 1.0.2 and 1.3.4 is vulnerable to a time-of-check time…
Vulnerability class: TOCTOU (Time-of-Check to Time-of-Use)
EPSS: 0.002 (35.7th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 8.8 (High). Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H.
Affected products
- Packagekit — versions >= 1.0.2, <= 1.3.4
- Packagekit_project Packagekit
Weakness classification (CWE)
Public proof-of-concept exploits
References
- https://github.com/PackageKit/PackageKit/security/advisories/GHSA-f55j-vvr9-69xv (x_refsource_CONFIRM, Exploit, Vendor Advisory)
- https://github.com/PackageKit/PackageKit/blob/04057883189efa225a7c785591aa87cb299782f8/src/pk-transaction.c#L2273-L2277 (Product, x_refsource_MISC)
- https://github.com/PackageKit/PackageKit/blob/04057883189efa225a7c785591aa87cb299782f8/src/pk-transaction.c#L4036 (Product, x_refsource_MISC)
- https://github.com/PackageKit/PackageKit/blob/04057883189efa225a7c785591aa87cb299782f8/src/pk-transaction.c#L873-L882 (Product, x_refsource_MISC)
- https://github.security.telekom.com/2026/04/pack2theroot-linux-local-privilege-escalation.html (Exploit, x_refsource_MISC, Third Party Advisory)
- af854a3a-2127-422b-91ae-364da2661108 (Mailing List, Patch, Third Party Advisory)
Frequently asked questions
- What is CVE-2026-41651?
- CVE-2026-41651 is a high-severity vulnerability in Packagekit, classified under Time-of-check Time-of-use (TOCTOU) Race Condition. CVSS score: 8.8/10. Published 2026-04-22.
- How severe is CVE-2026-41651?
- High severity. CVSS v3 base score is 8.8 out of 10.
- Is CVE-2026-41651 known to be exploited?
- 11 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.