Critical Pack2TheRoot Flaw Lets Attackers Gain Root Access
Key Takeaways A severe privilege escalation flaw, dubbed Pack2TheRoot (CVE-2026-41651), has been uncovered in the PackageKit daemon, affecting numerous Linux distributions. The vulnerability allows...
Key Takeaways
- A severe privilege escalation flaw, dubbed Pack2TheRoot (CVE-2026-41651), has been uncovered in the PackageKit daemon, affecting numerous Linux distributions.
- The vulnerability allows unprivileged local users to gain root access by silently installing or removing system packages without authentication.
- PackageKit versions 1.0.2 through 1.3.4, spanning over a decade of releases, are impacted, including default installations of Ubuntu, Debian, Fedora, and Rocky Linux.
- A patch is available in PackageKit 1.3.5, released on April 22, 2026, and immediate application is strongly recommended.
Deutsche Telekom’s Red Team has publicly revealed a critical privilege escalation vulnerability, designated Pack2TheRoot (CVE-2026-41651), which carries a CVSS 3.1 score of 8.8, classifying it as high severity. This flaw impacts default installations across a wide array of prominent Linux distributions.
Table Of Content
The vulnerability enables any local user without elevated privileges to covertly install or uninstall system packages, ultimately leading to full root access on the compromised system without the need for a password.
The PackageKit Weakness
At the heart of this issue is the PackageKit daemon, a ubiquitous abstraction layer for package management that is widely deployed across Debian, Ubuntu, Fedora, and Red Hat-based operating systems.
Exploiting this weakness allows an attacker with even basic local access to completely bypass authorization mechanisms. This enables them to install malicious software or remove critical security components, thereby fully compromising the system.
According to Telekom Security, a staggering range of PackageKit versions, from 1.0.2 up to and including 1.3.4, are affected. This broad scope encompasses over 12 years of releases, presenting an exceptionally extensive attack surface for potential exploitation.
Furthermore, because PackageKit acts as an optional dependency for the Cockpit server management project, enterprise servers utilizing Cockpit—including those running Red Hat Enterprise Linux (RHEL)—may also be susceptible to this vulnerability.
The exploitability of Pack2TheRoot has been rigorously tested and confirmed on the following default installations:
- Ubuntu Desktop 18.04, 24.04.4 LTS, and 26.04 LTS Beta
- Ubuntu Server 22.04 and 24.04 LTS
- Debian Desktop Trixie 13.4
- Rocky Linux Desktop 10.1
- Fedora 43 Desktop and Server
Any distribution that ships with PackageKit enabled should be considered potentially vulnerable.
Discovery and Disclosure
Telekom Security discovered this vulnerability during their focused research into local privilege escalation vectors on contemporary Linux systems. The team initially observed an anomaly where a pkcon install command could successfully install a system package on Fedora Workstation without requiring a password prompt.
Starting in 2025, researchers leveraged Anthropic’s Claude Opus AI to assist and accelerate their investigation, which ultimately led to the identification of the exploitable flaw. All findings underwent thorough manual review before being responsibly disclosed to the PackageKit maintainers, who subsequently verified both the existence and exploitability of the issue.
A functional proof-of-concept (PoC) has been developed, reliably achieving root code execution within seconds. However, this PoC will not be released publicly at this time.
How to Check If You’re Vulnerable
Given that PackageKit and Cockpit do not always run as persistent processes (they can activate on demand via D-Bus), a simple check of the process list is insufficient. The following commands can be used to determine vulnerability:
- Debian/Ubuntu:
dpkg -l | grep -i packagekit - RPM-based:
rpm -qa | grep -i packagekit - Check daemon status:
systemctl status packagekitorpkmon
While the attack can be executed in seconds, it does leave a detectable trace. Exploitation triggers an assertion failure and crash within the PackageKit daemon, which is logged and subsequently recoverable by systemd. Defenders should monitor for the following log signature:
journalctl --no-pager -u packagekit | grep -i emitted_finished
An assertion failure at pk-transaction.c:514 serves as a strong indicator of active exploitation.
What You Should Do
The vulnerability has been addressed in PackageKit version 1.3.5, which was released on April 22, 2026. Distribution-specific patched packages are also available:
- Debian: Consult the CVE tracker at security-tracker.debian.org
- Ubuntu: Refer to the Launchpad CVE bug tracker
- Fedora 42–44: The fix is integrated into PackageKit-1.3.4-3 via Koji
System administrators are urgently advised to apply these patches without delay, especially on internet-facing servers that are running Cockpit.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.