Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
IBM WebSphere Flaws Let Attackers Exploit XSS, Path Traversal
July 6, 2026
FIFA World Cup Hype Used by Hackers to Steal PII and Payment Details
July 6, 2026
Multiple PHP Vulnerabilities Allow DoS and Memory Corruption Attacks
July 6, 2026
Home/CyberSecurity News/Critical Pack2TheRoot Flaw Lets Attackers Gain Root Access
CyberSecurity News

Critical Pack2TheRoot Flaw Lets Attackers Gain Root Access

Key Takeaways A severe privilege escalation flaw, dubbed Pack2TheRoot (CVE-2026-41651), has been uncovered in the PackageKit daemon, affecting numerous Linux distributions. The vulnerability allows...

Jennifer sherman
Jennifer sherman
April 23, 2026 3 Min Read
52 0

Key Takeaways

  • A severe privilege escalation flaw, dubbed Pack2TheRoot (CVE-2026-41651), has been uncovered in the PackageKit daemon, affecting numerous Linux distributions.
  • The vulnerability allows unprivileged local users to gain root access by silently installing or removing system packages without authentication.
  • PackageKit versions 1.0.2 through 1.3.4, spanning over a decade of releases, are impacted, including default installations of Ubuntu, Debian, Fedora, and Rocky Linux.
  • A patch is available in PackageKit 1.3.5, released on April 22, 2026, and immediate application is strongly recommended.

Deutsche Telekom’s Red Team has publicly revealed a critical privilege escalation vulnerability, designated Pack2TheRoot (CVE-2026-41651), which carries a CVSS 3.1 score of 8.8, classifying it as high severity. This flaw impacts default installations across a wide array of prominent Linux distributions.

Table Of Content

  • Key Takeaways
  • The PackageKit Weakness
  • Discovery and Disclosure
  • How to Check If You’re Vulnerable
  • What You Should Do

The vulnerability enables any local user without elevated privileges to covertly install or uninstall system packages, ultimately leading to full root access on the compromised system without the need for a password.

The PackageKit Weakness

At the heart of this issue is the PackageKit daemon, a ubiquitous abstraction layer for package management that is widely deployed across Debian, Ubuntu, Fedora, and Red Hat-based operating systems.

Exploiting this weakness allows an attacker with even basic local access to completely bypass authorization mechanisms. This enables them to install malicious software or remove critical security components, thereby fully compromising the system.

According to Telekom Security, a staggering range of PackageKit versions, from 1.0.2 up to and including 1.3.4, are affected. This broad scope encompasses over 12 years of releases, presenting an exceptionally extensive attack surface for potential exploitation.

Furthermore, because PackageKit acts as an optional dependency for the Cockpit server management project, enterprise servers utilizing Cockpit—including those running Red Hat Enterprise Linux (RHEL)—may also be susceptible to this vulnerability.

The exploitability of Pack2TheRoot has been rigorously tested and confirmed on the following default installations:

  • Ubuntu Desktop 18.04, 24.04.4 LTS, and 26.04 LTS Beta
  • Ubuntu Server 22.04 and 24.04 LTS
  • Debian Desktop Trixie 13.4
  • Rocky Linux Desktop 10.1
  • Fedora 43 Desktop and Server

Any distribution that ships with PackageKit enabled should be considered potentially vulnerable.

Discovery and Disclosure

Telekom Security discovered this vulnerability during their focused research into local privilege escalation vectors on contemporary Linux systems. The team initially observed an anomaly where a pkcon install command could successfully install a system package on Fedora Workstation without requiring a password prompt.

Starting in 2025, researchers leveraged Anthropic’s Claude Opus AI to assist and accelerate their investigation, which ultimately led to the identification of the exploitable flaw. All findings underwent thorough manual review before being responsibly disclosed to the PackageKit maintainers, who subsequently verified both the existence and exploitability of the issue.

A functional proof-of-concept (PoC) has been developed, reliably achieving root code execution within seconds. However, this PoC will not be released publicly at this time.

How to Check If You’re Vulnerable

Given that PackageKit and Cockpit do not always run as persistent processes (they can activate on demand via D-Bus), a simple check of the process list is insufficient. The following commands can be used to determine vulnerability:

  • Debian/Ubuntu: dpkg -l | grep -i packagekit
  • RPM-based: rpm -qa | grep -i packagekit
  • Check daemon status: systemctl status packagekit or pkmon

While the attack can be executed in seconds, it does leave a detectable trace. Exploitation triggers an assertion failure and crash within the PackageKit daemon, which is logged and subsequently recoverable by systemd. Defenders should monitor for the following log signature:

journalctl --no-pager -u packagekit | grep -i emitted_finished

An assertion failure at pk-transaction.c:514 serves as a strong indicator of active exploitation.

What You Should Do

The vulnerability has been addressed in PackageKit version 1.3.5, which was released on April 22, 2026. Distribution-specific patched packages are also available:

  • Debian: Consult the CVE tracker at security-tracker.debian.org
  • Ubuntu: Refer to the Launchpad CVE bug tracker
  • Fedora 42–44: The fix is integrated into PackageKit-1.3.4-3 via Koji

System administrators are urgently advised to apply these patches without delay, especially on internet-facing servers that are running Cockpit.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchSecurityVulnerability

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Apple Patches Critical Notification Privacy Flaw in iOS, iPadOS

Next Post

Tropic Trooper Attack Uses Custom Beacon Listener and VS Code Tunnels

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
RedLine Stealer C2 Uses 7 Fraudulent Domains in Maritime Phishing Attacks
July 6, 2026
Teen Arrested for Bandai Channel Cyberattack Aided by ChatGPT
July 6, 2026
Gaslight macOS Malware Evades AI Security Analysis With Prompt Injection
July 6, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
David kimber
David kimber
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us