Critical Pack2TheRoot Flaw: Attackers Vulnerability Gain

Deutsche Telekom’s Red Team has publicly disclosed Pack2TheRoot (CVE-2026-41651, CVSS 3.1: 8.8), a high-severity privilege escalation vulnerability. This flaw affects multiple major Linux distributions in their default installations.

The flaw allows any local unprivileged user to silently install or remove system packages, ultimately achieving full root access without requiring a password.

The vulnerability resides in the PackageKit daemon, a widely deployed cross-distribution package management abstraction layer used across Debian, Ubuntu, Fedora, and Red Hat-based systems.

Exploiting this flaw, an attacker with basic local access can bypass authorization controls entirely, installing malicious packages or removing critical security components to compromise the system.

According to Telekom Security, all PackageKit versions from 1.0.2 through 1.3.4 are affected, spanning over 12 years of releases, creating an exceptionally broad attack surface.

Because PackageKit is also an optional dependency of the Cockpit server management project, enterprise servers running Cockpit including those running Red Hat Enterprise Linux (RHEL) may also be exposed.

Exploitability has been tested and confirmed on the following default installations:

• Ubuntu Desktop 18.04, 24.04.4 LTS, and 26.04 LTS Beta
• Ubuntu Server 22.04 and 24.04 LTS
• Debian Desktop Trixie 13.4
• Rocky Linux Desktop 10.1
• Fedora 43 Desktop and Server

Any distribution shipping PackageKit with it enabled should be considered potentially vulnerable.

The vulnerability was discovered by Telekom Security during targeted research into local privilege escalation vectors on modern Linux systems. The team initially noticed that a pkcon install command could install a system package on Fedora Workstation without prompting for a password.

Beginning in 2025, researchers leveraged Claude Opus by Anthropic to guide and accelerate their investigation, ultimately identifying the exploitable flaw. All findings were manually reviewed before being responsibly disclosed to PackageKit maintainers, who confirmed both the issue and its exploitability.

A working proof-of-concept (PoC) exists and reliably achieves root code execution in seconds, though it will not be released publicly at this time.

How to Check If You’re Vulnerable

Since PackageKit and Cockpit aren’t always running as persistent processes (they can activate on demand via D-Bus), a simple process list check is insufficient. Use these commands:

• Debian/Ubuntu: dpkg -l | grep -i packagekit
• RPM-based: rpm -qa | grep -i packagekit
• Check daemon status: systemctl status packagekit or pkmon

Despite being exploitable in seconds, the attack leaves a detectable trace. Exploitation causes the PackageKit daemon to hit an assertion failure and crash, which is logged and recoverable by systemd. Defenders should monitor for the following log signature:

journalctl --no-pager -u packagekit | grep -i emitted_finished

An assertion failure at pk-transaction.c:514 is a strong indicator of active exploitation.

Mitigation

The vulnerability is fixed in PackageKit 1.3.5, released on April 22, 2026. Distribution-specific patched packages are also available:

• Debian: CVE tracker at security-tracker.debian.org
• Ubuntu: Launchpad CVE bug tracker
• Fedora 42–44: Fixed in PackageKit-1.3.4-3 via Koji

System administrators are strongly urged to apply patches immediately, particularly on internet-facing servers running Cockpit.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.