CVE-2026-41651 — PackageKit local root exploit

PackageKit <=1.3.4 contains a time-of-check/time-of-use flaw that can let a local user install or remove arbitrary packages, yielding local root privilege escalation on many Linux systems.

The vulnerability disclosure and fix release were announced on 2026-04-22, including 1.3.5 as the fixed upstream release.

Affected versions

Vulnerable: PackageKit <=1.3.4 (unless distro-backported patch exists)
Fixed: PackageKit 1.3.5+ or distro package with equivalent backport

Indicator-of-exposure

Host has PackageKit installed at vulnerable version.
Untrusted local users can execute local code (multi-user desktop, shared host, or shell access for low-privileged users).

Quick checks:

pkcon --version || packagekitd --version
apt-cache policy packagekit
dnf info PackageKit
rpm -q PackageKit

Remediation strategy

Upgrade PackageKit to 1.3.5+ or distro-patched package.
Reboot or restart PackageKit-related services after patching.
For sensitive systems, reduce local untrusted execution paths until all hosts are patched.

The prompt

You are remediating CVE-2026-41651 (PackageKit TOCTOU local root exploit).
Produce exactly one output:

- A PR/change request that upgrades PackageKit to a fixed release and includes
  operator actions, or
- TRIAGE.md if upgrade cannot currently be completed.

## Constraints

- Scope only this CVE.
- Respect distro-specific backports; do not assume upstream version string is
  the only truth.
- Do not auto-merge.

## Steps

1. Detect PackageKit version on target image/host build recipe.
2. Check distro advisory/package metadata for a patched build.
3. If vulnerable:
   - Update package source/version to patched PackageKit (`>=1.3.5` or distro
     equivalent).
   - Include required service restart/reboot instructions for operator.
4. Add a short risk note if host is multi-user and was exposed to untrusted
   local users.
5. Validate provisioning scripts or image build succeeds.
6. Output PR title:
   `fix(sec): remediate CVE-2026-41651 (PackageKit)`.

## Stop conditions

- No patched package is available in the target distro channel.
- Target system does not include PackageKit.
- Build/test failures are unrelated and pre-existing.

Verification — what the reviewer looks for

Target package now resolves to patched PackageKit build.
Build/deploy pipeline for image or host config still passes.
PR body documents restart/reboot action and local-user risk context.

References

Disclosure thread (oss-security): https://www.openwall.com/lists/oss-security/2026/04/22/6
Upstream patch commit: https://github.com/PackageKit/PackageKit/commit/76cfb675fb31acc3ad5595d4380bfff56d2a8697
Upstream GHSA: https://github.com/PackageKit/PackageKit/security/advisories/GHSA-f55j-vvr9-69xv