vulnerability context

CVE-2026-41651

CVSS 8.8 HIGHEPSS 33%CWE-367OTX 7 pulses

PackageKit is a a D-Bus abstraction layer that allows the user to manage packages in a secure way using a cross-distro, cross-architecture API. PackageKit between and including versions 1.0.2 and 1.3.4 is vulnerable to a time-of-check time-of-use (TOCTOU) race condition on transaction flags that allows unprivileged users to install packages as root and thus leads to a local privilege escalation. This is patched in version 1.3.5. A local unprivileged user can install arbitrary RPM packages as root, including executing RPM scriptlets, without authentication. The vulnerability is a TOCTOU race c...

Published 2026-04-22 · last modified 2026-06-30

details

CISA KEV status: Not in catalog
CVSS v3: 8.8 / HIGH
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS: 33% percentile (score 0.0041)
CWE: CWE-367
OTX pulses: 7 total, 0 recent

View on NVD → · cve.org

source mentions 2

source consensus

Bluesky2×

Want the 3-bullet summary of CVE-2026-41651, plus webhook alerts when KEV is updated? Pro is $10/mo.

Open in reader See Pro →