What Is the Pack2TheRoot Vulnerability?
A newly identified security flaw, nicknamed Pack2TheRoot and tracked as CVE-2026-41651, has been disclosed in the PackageKit daemon — a background service responsible for managing software installation, updates, and removal across Linux systems. The vulnerability carries a high-severity CVSS score of 8.8 out of 10 and could allow local users to install or remove system packages and escalate their privileges all the way to root.
What makes this flaw particularly concerning is its age. The bug has been lurking in PackageKit for almost 12 years, tracing back to version 1.0.2 released in November 2014. Every version through 1.3.4 is considered affected, according to the project's own security advisory.
How the Flaw Was Discovered
The vulnerability was uncovered by the Deutsche Telekom Red Team, whose researchers were investigating how PackageKit handles package management requests. They found that under certain conditions on a Fedora system, commands such as pkcon install could be executed without requiring authentication, allowing them to install a system-level package without elevated privileges.
To deepen their understanding of the attack surface, the team turned to the Claude Opus AI tool, which helped them explore and ultimately discover CVE-2026-41651. A redacted proof-of-concept exploit was developed as part of the research, though full technical details and a working demo have been deliberately withheld to give patches time to propagate to affected systems.
Deutsche Telekom's Red Team responsibly disclosed their findings to Red Hat and PackageKit maintainers on April 8. Earlier this week, limited information about the vulnerability was published alongside the release of PackageKit version 1.3.5, which addresses the issue.
Which Linux Distributions Are Affected?
According to the researchers, any Linux distribution that ships with PackageKit pre-installed and enabled by default should be considered vulnerable. Testing confirmed exploitability across the following distributions:
- Ubuntu Desktop 18.04 (End of Life)
- Ubuntu Desktop 24.04.4 (LTS)
- Ubuntu Desktop 26.04 (LTS beta)
- Ubuntu Server 22.04 – 24.04 (LTS)
- Debian Desktop Trixie 13.4
- RockyLinux Desktop 10.1
- Fedora 43 Desktop
- Fedora 43 Server
The researchers emphasize that this list is not exhaustive. Any Linux distribution using PackageKit should be treated as potentially at risk until patched.
Exploitation Leaves a Detectable Trace
While no confirmed cases of active exploitation have been publicly reported, the Deutsche Telekom Red Team noted that there are observable indicators when an attack occurs. Exploitation causes the PackageKit daemon to hit an assertion failure and crash. Even if systemd restarts the daemon automatically, the crash event remains visible in system logs — providing defenders with a forensic breadcrumb to investigate.
How to Check If You Are Vulnerable
System administrators can quickly determine whether a vulnerable version of PackageKit is installed by running the following commands:
- Debian/Ubuntu-based systems:
dpkg -l | grep -i packagekit - RPM-based systems:
rpm -qa | grep -i packagekit
To verify whether the PackageKit daemon is currently active and running — which would indicate the system is at risk if unpatched — administrators can use either systemctl status packagekit or the pkmon utility.
Remediation Steps
The fix is straightforward: upgrade to PackageKit version 1.3.5 as soon as possible. Beyond updating PackageKit itself, administrators should also ensure that any other software packages or tools that depend on PackageKit have been updated to versions that reference the patched release. Given the daemon's widespread default installation across popular Linux distributions, prompt action is strongly recommended.
With the flaw spanning nearly a dozen years of PackageKit releases and confirmed across a wide range of mainstream distributions — including both desktop and server variants — the attack surface is broad. The combination of a high CVSS score, easy local exploitation, and long-standing presence in the codebase makes CVE-2026-41651 a priority patch for any Linux administrator or security team.
Source: BleepingComputer