Critical ‘Pack2TheRoot’ Vulnerability Grants Unrestricted Root Access on Major Linux Distributions
A significant security flaw, identified as CVE-2026-41651 and dubbed Pack2TheRoot, has been uncovered by Deutsche Telekom’s Red Team. This high-severity privilege escalation vulnerability, with a CVSS score of 8.8, affects multiple major Linux distributions in their default configurations. It allows any local unprivileged user to install or remove system packages without authentication, ultimately achieving full root access without requiring a password.
Vulnerability Overview
The root of this vulnerability lies in the PackageKit daemon, a widely used package management abstraction layer across various Linux distributions, including Debian, Ubuntu, Fedora, and Red Hat-based systems. By exploiting this flaw, an attacker with basic local access can bypass authorization controls entirely. This capability enables the installation of malicious packages or the removal of critical security components, leading to complete system compromise.
Affected Systems
According to Telekom Security, all PackageKit versions from 1.0.2 through 1.3.4 are affected, spanning over 12 years of releases. This extensive timeframe creates an exceptionally broad attack surface. Notably, PackageKit is also an optional dependency of the Cockpit server management project. Therefore, enterprise servers running Cockpit, including those operating on Red Hat Enterprise Linux (RHEL), may also be exposed.
The vulnerability has been tested and confirmed on the following default installations:
– Ubuntu Desktop 18.04, 24.04.4 LTS, and 26.04 LTS Beta
– Ubuntu Server 22.04 and 24.04 LTS
– Debian Desktop Trixie 13.4
– Rocky Linux Desktop 10.1
– Fedora 43 Desktop and Server
Any distribution shipping PackageKit with it enabled should be considered potentially vulnerable.
Discovery and Exploitation
The vulnerability was discovered by Telekom Security during targeted research into local privilege escalation vectors on modern Linux systems. The team initially observed that a `pkcon install` command could install a system package on Fedora Workstation without prompting for a password.
Beginning in 2025, researchers leveraged advanced tools to guide and accelerate their investigation, ultimately identifying the exploitable flaw. All findings were manually reviewed before being responsibly disclosed to PackageKit maintainers, who confirmed both the issue and its exploitability.
A working proof-of-concept (PoC) exists and reliably achieves root code execution in seconds. However, it will not be released publicly at this time to prevent potential misuse.
Detection and Mitigation
Since PackageKit and Cockpit aren’t always running as persistent processes (they can activate on demand via D-Bus), a simple process list check is insufficient to determine vulnerability. System administrators can use the following commands to check for PackageKit installation:
– Debian/Ubuntu: `dpkg -l | grep -i packagekit`
– RPM-based: `rpm -qa | grep -i packagekit`
To check the daemon status:
– `systemctl status packagekit`
– `pkmon`
Despite the rapid exploitability, the attack leaves a detectable trace. Exploitation causes the PackageKit daemon to hit an assertion failure and crash, which is logged and recoverable by systemd. Defenders should monitor for the following log signature:
`journalctl –no-pager -u packagekit | grep -i emitted_finished`
An assertion failure at `pk-transaction.c:514` is a strong indicator of active exploitation.
Patch Availability
The vulnerability is fixed in PackageKit version 1.3.5, released on April 22, 2026. Distribution-specific patched packages are also available:
– Debian: CVE tracker at security-tracker.debian.org
– Ubuntu: Launchpad CVE bug tracker
– Fedora 42–44: Fixed in PackageKit-1.3.4-3 via Koji
System administrators are strongly urged to apply patches immediately, particularly on internet-facing servers running Cockpit.
Conclusion
The Pack2TheRoot vulnerability underscores the critical importance of timely patch management and vigilant system monitoring. Given the widespread use of PackageKit across various Linux distributions, the potential impact of this flaw is substantial. Organizations must prioritize the application of the provided patches to mitigate the risk of unauthorized root access and system compromise.
