Share
## https://sploitus.com/exploit?id=3DCA8BBF-76DF-5AAB-B5A4-923CE9C8250F
# ๐ฅ CVE-2026-41651 โ PackageKit TOCTOU Local Privilege Escalation (Pack2TheRoot)
[](LICENSE)
[](https://vulners.com/cve/CVE-2026-41651)
[]()
> Local Privilege Escalation exploit targeting the PackageKit daemon.
> Escalates from an unprivileged local user to `root` through a TOCTOU race condition vulnerability.
---
# ๐ Overview
**CVE-2026-41651** (also known as **Pack2TheRoot**) is a critical **TOCTOU (Time-Of-Check to Time-Of-Use)** race condition vulnerability in **PackageKit**, a system service used by many Linux distributions for package management abstraction.
The vulnerability allows a local unprivileged user to manipulate PackageKit transaction states and bypass authorization checks under specific conditions.
## Impact
An attacker with local access may be able to:
- Install arbitrary packages with elevated privileges
- Execute package maintainer scripts as `root`
- Achieve full local privilege escalation
- Bypass expected `polkit` authorization behavior
---
# โ ๏ธ Affected Versions
| Component | Vulnerable Versions | Fixed Version |
| --- | --- | --- |
| **PackageKit** | `1.0.2` โ `1.3.4` | `1.3.5` |
### โ
Tested On
- Ubuntu 24.04 (Noble Numbat)
- Ubuntu 22.04 (Jammy Jellyfish)
- Debian 12 (Bookworm)
- Kali Linux (latest)
- Other Debian/Ubuntu-based distributions using vulnerable PackageKit versions
---
# ๐ฌ Technical Details
## Root Cause
The issue originates from multiple logic flaws inside `src/pk-transaction.c`.
| Bug | Location | Description |
| --- | --- | --- |
| **BUG 1** | Line 4036 | `InstallFiles()` overwrites cached transaction flags and paths without proper state validation |
| **BUG 2** | Lines 876โ881 | `pk_transaction_set_state()` silently rejects backward state transitions |
| **BUG 3** | Lines 2273โ2277 | `pk_transaction_run()` reads cached flags during dispatch rather than authorization |
| **BYPASS** | Lines 2893โ2900 | `SIMULATE` flag (`0x4`) skips `polkit` authorization checks |
---
## Attack Flow
```text
Attacker (unprivileged) packagekitd (root)
โ โ
โโโ 1. InstallFiles(SIMULATE) โโโโโโโโบ โ polkit bypassed โ state = READY
โ โ queued async dispatch
โ
โโโ 2. InstallFiles(payload) โโโโโโโโโโบ โ cached flags overwritten
โ โ invalid state transition ignored
โ
โ [dispatch occurs] โ
โ โ payload processed as root
โ โ maintainer scripts executed
โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโบ โ privilege escalation achieved
```
---
# ๐ Quick Start
## Prerequisites
Install required development libraries:
```bash
sudo apt update
sudo apt install libglib2.0-dev
```
---
## Clone Repository
```bash
git clone https://github.com/Lutfifakee-Project/CVE-2026-41651.git
cd CVE-2026-41651
```
---
## Compile
```bash
gcc -o exploit CVE-2026-41651.c \
`pkg-config --cflags --libs glib-2.0 gio-2.0` \
-Wall
```
---
## Run
> Run as an unprivileged user.
```bash
./exploit
```
---
# ๐ฅ๏ธ Example Output
```text
______ ______ ___ ___ ___ ____ ___________ _______
/ ___/ | / / __/___|_ |/ _ \|_ |/ __/____/ / < / __// __< /
/ /__ | |/ / _//___/ __// // / __// _ \/___/_ _/ / _ \/__ \/ /
\___/ |___/___/ /____/\___/____/\___/ /_//_/\___/____/_/
CVE-2026-41651 - PackageKit TOCTOU Local Privilege Escalation
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
[*] Building packages...
[*] Starting race condition...
[*] Waiting for dispatch...
[*] Polling for payload...
[+] SUCCESS โ privilege escalation completed
```
---
# ๐ก๏ธ Detection & Mitigation
## Check Installed Version
```bash
pkcon --version
```
Or:
```bash
dpkg -l | grep packagekit
```
### Version Status
- Vulnerable โ `1.0.2` โ `1.3.4`
- Patched โ `1.3.5` or later
---
## Update PackageKit
```bash
sudo apt update
sudo apt upgrade packagekit
```
---
## Manual Patch
Official releases:
- https://github.com/PackageKit/PackageKit/releases
---
# โ ๏ธ Disclaimer
This repository is provided strictly for:
- Security research
- Defensive security testing
- Educational purposes
- Authorized penetration testing
The author is **not responsible** for any misuse, illegal activity, or damage caused by this project.
Do not use this software against systems you do not own or have explicit permission to test.
---
# ๐ References
- [NVD โ CVE-2026-41651](https://nvd.nist.gov/vuln/detail/CVE-2026-41651)
- [GitHub Security Advisory](https://github.com/advisories/GHSA-f55j-vvr9-69xv)
- [PackageKit Security Fix Commit](https://github.com/PackageKit/PackageKit/commit/76cfb675)
- [OSS-Security Announcement](https://www.openwall.com/lists/oss-security/2026/04/23/1)