Advisories » MGASA-2026-0180

Updated packagekit packages fix security vulnerability

Publication date: 09 Jun 2026
Modification date: 09 Jun 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-41651

Description

PackageKit vulnerable to TOCTOU Race on Transaction Flags leads to
arbitrary package installation as root. (CVE-2026-41651)
                

References

• https://bugs.mageia.org/show_bug.cgi?id=35428
• https://lists.debian.org/debian-security-announce/2026/msg00136.html
• https://www.openwall.com/lists/oss-security/2026/04/22/6
• https://lists.freedesktop.org/archives/packagekit/2026-April/026513.html
• https://github.com/PackageKit/PackageKit/security/advisories/GHSA-f55j-vvr9-69xv
• https://github.security.telekom.com/2026/04/pack2theroot-linux-local-privilege-escalation.html
• https://www.cve.org/CVERecord?id=CVE-2026-41651

SRPMS

9/core

• packagekit-1.2.6-2.1.mga9