ByteOS Network

PackageKit

Source -

CNA

BOS Name -

N/A

CNA CVEs -

ADP CVEs -

CISA CVEs -

NVD CVEs -

3Vulnerabilities found

CVE-2026-41651

Assigner-GitHub, Inc.

View Details

Assigner-GitHub, Inc.

CVSS Score-8.8||HIGH

EPSS-0.20% / 41.71%

7 Day CHG~0.00%

Published-22 Apr, 2026 | 13:11

Updated-06 May, 2026 | 03:56

PackageKit vulnerable to TOCTOU Race on Transaction Flags leads to arbitrary package installation as root

PackageKit is a a D-Bus abstraction layer that allows the user to manage packages in a secure way using a cross-distro, cross-architecture API. PackageKit between and including versions 1.0.2 and 1.3.4 is vulnerable to a time-of-check time-of-use (TOCTOU) race condition on transaction flags that allows unprivileged users to install packages as root and thus leads to a local privilege escalation. This is patched in version 1.3.5. A local unprivileged user can install arbitrary RPM packages as root, including executing RPM scriptlets, without authentication. The vulnerability is a TOCTOU race condition on `transaction->cached_transaction_flags` combined with a silent state-machine guard that discards illegal backward transitions while leaving corrupted flags in place. Three bugs exist in `src/pk-transaction.c`: 1. Unconditional flag overwrite (line 4036): `InstallFiles()` writes caller-supplied flags to `transaction->cached_transaction_flags` without checking whether the transaction has already been authorized/started. A second call blindly overwrites the flags even while the transaction is RUNNING. 2. Silent state-transition rejection (lines 873–882): `pk_transaction_set_state()` silently discards backward state transitions (e.g. `RUNNING` → `WAITING_FOR_AUTH`) but the flag overwrite at step 1 already happened. The transaction continues running with corrupted flags. 3. Late flag read at execution time (lines 2273–2277): The scheduler's idle callback reads cached_transaction_flags at dispatch time, not at authorization time. If flags were overwritten between authorization and execution, the backend sees the attacker's flags.

Vendor-packagekit_project PackageKit

Product-packagekit PackageKit

CWE ID-CWE-367

Time-of-check Time-of-use (TOCTOU) Race Condition

CVE-2020-16122

Assigner-Canonical Ltd.

View Details

Assigner-Canonical Ltd.

CVSS Score-8.2||HIGH

EPSS-0.08% / 23.23%

7 Day CHG~0.00%

Published-07 Nov, 2020 | 04:10

Updated-16 Sep, 2024 | 16:13

Packagekit's apt backend lets user install untrusted local packages

PackageKit's apt backend mistakenly treated all local debs as trusted. The apt security model is based on repository trust and not on the contents of individual files. On sites with configured PolicyKit rules this may allow users to install malicious packages.

Vendor-packagekit_project PackageKit Canonical Ltd.

Product-packagekit ubuntu_linux packagekit

CWE ID-CWE-269

Improper Privilege Management

CWE ID-CWE-345

Insufficient Verification of Data Authenticity

CVE-2020-16121

Assigner-Canonical Ltd.

View Details

Assigner-Canonical Ltd.

CVSS Score-3.3||LOW

EPSS-0.10% / 27.46%

7 Day CHG~0.00%

Published-07 Nov, 2020 | 04:10

Updated-17 Sep, 2024 | 04:04

PackageKit error messages leak presence and mimetype of files to unprivileged users

PackageKit provided detailed error messages to unprivileged callers that exposed information about file presence and mimetype of files that the user would be unable to determine on its own.

Vendor-packagekit_project PackageKit Canonical Ltd.

Product-packagekit ubuntu_linux PackageKit

CWE ID-CWE-209

Generation of Error Message Containing Sensitive Information