SB2026042354 - Multiple vulnerabilities in PackageKit

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Improper access control (CVE-ID: N/A)

The vulnerability allows a local user to bypass authorization and perform package installation or removal as root.

The vulnerability exists due to improper access control in packagekitd and the Slackware backend when processing install or remove transactions with the ONLY_DOWNLOAD flag set. A local user can send a crafted package management request with the ONLY_DOWNLOAD flag to bypass authorization and perform package installation or removal as root.

The issue affects the Slackware backend because it does not enforce download-only behavior for install and remove operations.

2) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2026-41651)

The vulnerability allows a local user to escalate privileges.

The vulnerability exists due to a time-of-check time-of-use race condition in PackageKit when installing packages. A local user can win a race condition to install arbitrary packages as root to escalate privileges.

Remediation

Install update from vendor's website.

References

• https://github.com/PackageKit/PackageKit/security/advisories/GHSA-wpcw-g86j-489v
• https://github.com/PackageKit/PackageKit/security/advisories/GHSA-f55j-vvr9-69xv