Full Report
A new vulnerability dubbed Pack2TheRoot could be exploited in the PackageKit daemon to allow local Linux users to install or remove system packages and gain root permissions. [...]
Analysis Summary
# Vulnerability: Pack2TheRoot Local Privilege Escalation
## CVE Details
- **CVE ID:** CVE-2026-41651
- **CVSS Score:** 8.8 (High)
- **CWE:** Not explicitly stated in the article (typically associated with Improper Authentication or Privilege Management).
## Affected Systems
- **Products:** PackageKit daemon (background service for software management).
- **Versions:** Affected from version 1.0.2 (Nov 2014) through 1.3.4.
- **Configurations:** Systems where PackageKit is pre-installed and enabled out-of-the-box. Specific distributions confirmed vulnerable include:
- Ubuntu Desktop 18.04, 24.04.4, 26.04 (beta)
- Ubuntu Server 22.04 – 24.04
- Debian Desktop Trixie 13.4
- RockyLinux Desktop 10.1
- Fedora 43 Desktop/Server
## Vulnerability Description
Pack2TheRoot is a flaw in the mechanism PackageKit uses to handle package management requests. For nearly 12 years, the daemon has contained a logic error allowing commands like `pkcon install` to execute without requiring administrative authentication under specific conditions. By exploiting this flaw, a local user can bypass security prompts to install or remove system packages, ultimately leading to full root access.
## Exploitation
- **Status:** PoC created by researchers (currently redacted/unreleased); no reports of exploitation in the wild as of April 2026.
- **Complexity:** Low (exploitable using standard tools/commands).
- **Attack Vector:** Local (requires access to a local user account on the system).
## Impact
- **Confidentiality:** High (Full system access/Root permissions).
- **Integrity:** High (Ability to add/remove system-level software and modify configuration).
- **Availability:** High (Can lead to daemon crashes and potential system instability via package removal).
## Remediation
### Patches
- **PackageKit Version 1.3.5:** Addresses the flaw. Users should upgrade immediately.
### Workarounds
- Disable the PackageKit daemon if it is not required: `systemctl stop packagekit` and `systemctl mask packagekit`.
## Detection
- **Indicators of Compromise:** Look for assertion failures and crashes of the PackageKit daemon in system logs (`journalctl` or `/var/log/syslog`). Exploitation typically causes the daemon to crash before or after the privilege escalation occurs.
- **Tools:**
- Check installed version: `dpkg -l | grep -i packagekit` or `rpm -qa | grep -i packagekit`.
- Check status: `systemctl status packagekit` or `pkmon`.
## References
- PackageKit Security Advisory: hxxps[://]github[.]com/PackageKit/PackageKit/security/advisories/GHSA-f55j-vvr9-69xv
- PackageKit Release 1.3.5: hxxps[://]github[.]com/PackageKit/PackageKit/releases/tag/v1.3.5
- Deutsche Telekom Red Team Research: hxxps[://]github[.]security[.]telekom[.]com/2026/04/pack2theroot-linux-local-privilege-escalation[.]html
- BleepingComputer Article: hxxps[://]www[.]bleepingcomputer[.]com/news/security/new-pack2theroot-flaw-gives-hackers-root-linux-access/