PackageKit LPE Race Condition (CVE-2026-41651): full guide for openSUSE

 

PackageKit race condition (CVE-2026-41651) lets any local user gain root. This guide shows openSUSE commands to check your system, apply the fix, and block exploitation—plus a bash script and AppArmor/i​ptables workarounds.

SUSE released an update for PackageKit that fixes CVE-2026-41651. The vulnerability is a TOCTOU (time‑of‑check‑to‑time‑of‑use) race condition that allows any local, unprivileged user to install arbitrary RPM packages as root. In plain English: a regular user on your system can become root without a password.

The issue affects PackageKit versions 1.0.2 through 1.3.4 and is present in many Linux distributions, including openSUSE Leap 15.6 and SUSE Linux Enterprise Desktop/Server 15 SP7. The fix is included in PackageKit 1.3.5 and later.

This guide is written as evergreen reference – the commands and mitigations will remain useful for months or years, regardless of when you read it

How to check if you are vulnerable

Run the following commands on your openSUSE or SUSE system:

bash

# Check which PackageKit version you have installed
zypper info PackageKit | grep Version

• If the version is 1.0.2 through 1.3.4, you are vulnerable.

• If the version is 1.3.5 or higher, you are safe.

You can also test whether the exploit works (run as a non‑root user):

bash

# Try to install a harmless dummy package as a regular user
pkcon install cowsay

If pkcon asks for a password, you are likely safe. If it installs without a password (and you are not in the wheel group), your system is vulnerable.

This script solves CVE-2026-41651. To learn how to create your own scripts to find and fix any future vulnerability, get Practical Binary Analysis – it teaches you how to build Linux tools for binary instrumentation, analysis, and disassembly.

Alternative mitigation if you can’t update now

If you cannot reboot or apply the update immediately, use one of these workarounds:

1. Block PackageKit entirely (AppArmor)

Create an AppArmor profile that prevents PackageKit from being executed by unprivileged users:

bash

# Disable and stop the PackageKit service
sudo systemctl stop packagekit
sudo systemctl disable packagekit

Warning: This will break GUI software centers (GNOME Software, KDE Discover) and automatic update notifications.

2. Restrict PackageKit via polkit

Edit /usr/share/polkit-1/actions/org.freedesktop.packagekit.policy and change all <allow_active> tags from yes to auth_admin or no. Then restart polkit:

bash

sudo systemctl restart polkit

3. iptables / nftables (if the attack arrives over the network)

While this is a local race condition, some exploit chains involve a remote component. Blocking unnecessary incoming connections reduces attack surfac

bash

# Example: block all incoming traffic except SSH (adjust to your needs)
sudo iptables -P INPUT DROP
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Save the rules: sudo iptables-save > /etc/iptables/rules.v4

Conclusion & call to action

This vulnerability is fixed, but the next one is already being researched. To stay ahead:

• Subscribe to the Linux Security Weekly newsletter – every Monday, five actionable security tips for Linux admins.

• Download the free checklist: “10 post‑update steps to verify no backdoor was installed” – get it by subscribing above.

• Go deeper: Buy Practical Binary Analysis or Practical Malware Analysis and stop chasing patches. Learn to find and fix the vulnerabilities you haven’t seen yet.