Share
## https://sploitus.com/exploit?id=3DCA8BBF-76DF-5AAB-B5A4-923CE9C8250F
# ๐Ÿ”ฅ CVE-2026-41651 โ€” PackageKit TOCTOU Local Privilege Escalation (Pack2TheRoot)

[![License](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)
[![CVE](https://img.shields.io/badge/CVE-2026--41651-red.svg)](https://vulners.com/cve/CVE-2026-41651)
[![Exploit](https://img.shields.io/badge/Exploit-LPE-success.svg)]()

> Local Privilege Escalation exploit targeting the PackageKit daemon.  
> Escalates from an unprivileged local user to `root` through a TOCTOU race condition vulnerability.

---

# ๐Ÿ“Œ Overview

**CVE-2026-41651** (also known as **Pack2TheRoot**) is a critical **TOCTOU (Time-Of-Check to Time-Of-Use)** race condition vulnerability in **PackageKit**, a system service used by many Linux distributions for package management abstraction.

The vulnerability allows a local unprivileged user to manipulate PackageKit transaction states and bypass authorization checks under specific conditions.

## Impact

An attacker with local access may be able to:

- Install arbitrary packages with elevated privileges
- Execute package maintainer scripts as `root`
- Achieve full local privilege escalation
- Bypass expected `polkit` authorization behavior

---

# โš ๏ธ Affected Versions

| Component | Vulnerable Versions | Fixed Version |
| --- | --- | --- |
| **PackageKit** | `1.0.2` โ€“ `1.3.4` | `1.3.5` |

### โœ… Tested On

- Ubuntu 24.04 (Noble Numbat)
- Ubuntu 22.04 (Jammy Jellyfish)
- Debian 12 (Bookworm)
- Kali Linux (latest)
- Other Debian/Ubuntu-based distributions using vulnerable PackageKit versions

---

# ๐Ÿ”ฌ Technical Details

## Root Cause

The issue originates from multiple logic flaws inside `src/pk-transaction.c`.

| Bug | Location | Description |
| --- | --- | --- |
| **BUG 1** | Line 4036 | `InstallFiles()` overwrites cached transaction flags and paths without proper state validation |
| **BUG 2** | Lines 876โ€“881 | `pk_transaction_set_state()` silently rejects backward state transitions |
| **BUG 3** | Lines 2273โ€“2277 | `pk_transaction_run()` reads cached flags during dispatch rather than authorization |
| **BYPASS** | Lines 2893โ€“2900 | `SIMULATE` flag (`0x4`) skips `polkit` authorization checks |

---

## Attack Flow

```text
Attacker (unprivileged)                packagekitd (root)
โ”‚                                      โ”‚
โ”œโ”€โ”€ 1. InstallFiles(SIMULATE) โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ–บ โ”‚ polkit bypassed โ†’ state = READY
โ”‚                                      โ”‚ queued async dispatch
โ”‚
โ”œโ”€โ”€ 2. InstallFiles(payload) โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ–บ โ”‚ cached flags overwritten
โ”‚                                      โ”‚ invalid state transition ignored
โ”‚
โ”‚ [dispatch occurs]                    โ”‚
โ”‚                                      โ”‚ payload processed as root
โ”‚                                      โ”‚ maintainer scripts executed
โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ–บ โ”‚ privilege escalation achieved
```

---

# ๐Ÿš€ Quick Start

## Prerequisites

Install required development libraries:

```bash
sudo apt update
sudo apt install libglib2.0-dev
```

---

## Clone Repository

```bash
git clone https://github.com/Lutfifakee-Project/CVE-2026-41651.git
cd CVE-2026-41651
```

---

## Compile

```bash
gcc -o exploit CVE-2026-41651.c \
`pkg-config --cflags --libs glib-2.0 gio-2.0` \
-Wall
```

---

## Run

> Run as an unprivileged user.

```bash
./exploit
```

---

# ๐Ÿ–ฅ๏ธ Example Output

```text
  ______   ______    ___  ___  ___  ____     ___________ _______
 / ___/ | / / __/___|_  |/ _ \|_  |/ __/____/ / <  / __// __<  /
/ /__ | |/ / _//___/ __// // / __// _ \/___/_  _/ / _ \/__ \/ /
\___/ |___/___/   /____/\___/____/\___/     /_//_/\___/____/_/

CVE-2026-41651 - PackageKit TOCTOU Local Privilege Escalation
โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•

[*] Building packages...
[*] Starting race condition...
[*] Waiting for dispatch...
[*] Polling for payload...
[+] SUCCESS โ€” privilege escalation completed
```

---

# ๐Ÿ›ก๏ธ Detection & Mitigation

## Check Installed Version

```bash
pkcon --version
```

Or:

```bash
dpkg -l | grep packagekit
```

### Version Status

- Vulnerable โ†’ `1.0.2` โ€“ `1.3.4`
- Patched โ†’ `1.3.5` or later

---

## Update PackageKit

```bash
sudo apt update
sudo apt upgrade packagekit
```

---

## Manual Patch

Official releases:

- https://github.com/PackageKit/PackageKit/releases

---

# โš ๏ธ Disclaimer

This repository is provided strictly for:

- Security research
- Defensive security testing
- Educational purposes
- Authorized penetration testing

The author is **not responsible** for any misuse, illegal activity, or damage caused by this project.

Do not use this software against systems you do not own or have explicit permission to test.

---

# ๐Ÿ“š References

- [NVD โ€” CVE-2026-41651](https://nvd.nist.gov/vuln/detail/CVE-2026-41651)
- [GitHub Security Advisory](https://github.com/advisories/GHSA-f55j-vvr9-69xv)
- [PackageKit Security Fix Commit](https://github.com/PackageKit/PackageKit/commit/76cfb675)
- [OSS-Security Announcement](https://www.openwall.com/lists/oss-security/2026/04/23/1)