Packagekit Security Vulnerabilities and Issues — Packagekit CVE List

Packagekit ProjectPackagekit

8 matches found

CVE•added 2020/11/07 4:10 a.m.•189 views

CVE-2020-16121

CVE-2020-16121 affects PackageKit in multiple Linux distros. The flaw allows a local, unprivileged user to learn the MIME type and presence of files via DBus interfaces (InstallFiles, GetFilesLocal, GetDetailsLocal). Several advisories and Nessus/NVD references show this as an information-disclos...

3.3CVSS3.9AI score0.00462EPSS

CVE•added 2026/04/22 1:11 p.m.•159 views

CVE-2026-41651

CVE-2026-41651 concerns PackageKit, a D-Bus abstraction layer for cross-distro package management. The vulnerability affects versions 1.0.2 through 1.3.4 and enables local privilege escalation via a TOCTOU race on transaction flags, allowing an unprivileged user to install packages as root (inclu...

8.8CVSS6AI score0.00413EPSS

Web

CVE•added 2018/04/23 8:0 p.m.•129 views

CVE-2018-1106

CVE-2018-1106 affects PackageKit prior to 1.1.10. The vulnerability is an authentication bypass that allows a non-administrative user to install signed packages, enabling local privilege escalation and potential system compromise by installing vulnerable packages. Public advisories (various OS ve...

5.5CVSS5.2AI score0.00393EPSS

CVE•added 2020/11/07 4:10 a.m.•110 views

CVE-2020-16122

CVE-2020-16122 concerns PackageKit’s apt backend, which incorrectly treated all local .deb packages as trusted. The vulnerability arises because the apt security model relies on repository trust rather than the contents of individual files, enabling a local attacker to potentially install malicio...

8.2CVSS7.5AI score0.00335EPSS

CVE•added 2024/01/03 5:4 p.m.•101 views

CVE-2024-0217

CVE-2024-0217 overview (concrete details from connected docs): A use-after-free in PackageKitd can cause a memory access to regions freed during transaction cleanup, with freed regions potentially reused for new allocations. This vulnerability is reported across multiple distributions and advisor...

3.3CVSS3.7AI score0.00228EPSS

CVE•added 2022/06/28 4:9 p.m.•77 views

CVE-2022-0987

CVE-2022-0987 concerns a timing side-channel in PackageKit’s Transaction interface. Some methods expose timing information, allowing a local user to infer the existence of files owned by root or other users. Impact is information disclosure with local access; CVSS values in the records show LOW s...

3.3CVSS3.8AI score0.00254EPSS

CVE•added 2019/11/27 8:18 p.m.•57 views

CVE-2011-2515

PackageKit 0.6.17 is vulnerable to an issue where unsigned RPM packages are treated as signed, allowing installation of non-trusted packages and potential arbitrary code execution. Affected component: PackageKit 0.6.17. Root cause: unsigned RPMs accepted as signed, enabling local privilege or cod...

5.3CVSS5.4AI score0.00393EPSS

CVE•added 2014/04/16 6:0 p.m.•52 views

CVE-2013-1764

The CVE-2013-1764 issue affects the Zypper/zypp backend in PackageKit prior to 0.8.8. According to multiple sources (SUSE, UBUNTU, Debian, etc.), local users can downgrade packages via the install updates method, indicating a local escalation/precedent flaw that allows downgrades rather than enf...

2.1CVSS6.4AI score0.00382EPSS