Easily Exploitable ‘Pack2TheRoot’ Linux Vulnerability Leads to Root Access

Summary

CVE-2026-41651, a high-severity TOCTOU race condition in PackageKit's transaction flag handling, allows unprivileged users to escalate privileges and install arbitrary RPM packages as root without authentication. The vulnerability affects PackageKit versions 1.0.2 to 1.3.4 and likely existed since version 0.8.1 from 14 years ago, impacting Ubuntu, Debian, RockyLinux, and Fedora distributions. The flaw has been patched in PackageKit 1.3.5 with updates available for major Linux distributions.

Full text

An easily exploitable, high-severity vulnerability in the PackageKit cross-distro package management abstraction layer allows unprivileged users to install packages with root privileges. Tracked as CVE-2026-41651 (CVSS score of 8.1), the flaw is described as a time-of-check time-of-use (TOCTOU) race condition on transaction flags. Referred to as Pack2TheRoot, the bug is a combination of three issues, where caller-supplied flags are written without checking if the transaction is authorized or even when the transaction is running. This results in a transaction running with corrupted flags and, because the flags are read at dispatch, not at authorization time, the backend sees the attacker’s flags. Unprivileged users can exploit Pack2TheRoot to install arbitrary RPM packages as root, including scriplets, without authentication, a NIST advisory reads. The security defect has been confirmed to impact PackageKit versions 1.0.2 to 1.3.4, but likely existed since version 0.8.1, which was released 14 years ago (1.0.2 was released 12 years ago).Advertisement. Scroll to continue reading. According to Deutsche Telekom’s Red Team, which discovered the vulnerability, Linux distributions confirmed as affected include Ubuntu Desktop 18.04 (EOL), 24.04.4 (LTS), 26.04 (LTS beta), Ubuntu Server 22.04 – 24.04 (LTS), Debian Desktop Trixie 13.4, RockyLinux Desktop 10.1, Fedora 43 Desktop, and Fedora 43 Server. “It is reasonable to assume that all distributions that ship PackageKit with it enabled are vulnerable. Since PackageKit is an optional dependency of the Cockpit project, many servers with Cockpit installed might be vulnerable as well, including Red Hat Enterprise Linux (RHEL),” Deutsche Telekom notes. The company has refrained from sharing technical details on the flaw, noting that it is easily exploitable and that it could allow attackers to gain “root access or compromise the system in other ways”. “Even though the vulnerability is reliably exploitable in seconds, it leaves traces that serve as a strong indicator of compromise. After successful exploitation, the PackageKit daemon hits an assertion failure and crashes. Systemd recovers the daemon on the next D-Bus invocation, preventing a denial-of-service, but the crash is observable in the system logs,” Deutsche Telekom says. Pack2TheRoot was addressed in PackageKit version 1.3.5. Patches for it have also been included in recent Debian, Ubuntu, and Fedora updates. Related: Organizations Warned of Exploited Linux Vulnerabilities Related: New ‘SSHStalker’ Linux Botnet Uses Old Techniques Related: Recent Microsoft Defender Vulnerability Exploited as Zero-Day Related: Recent Apache ActiveMQ Vulnerability Exploited in the Wild Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire US Federal Agency’s Cisco Firewall Infected With ‘Firestarter’ BackdoorBitwarden NPM Package Hit in Supply Chain AttackCloudsmith Raises $72 Million in Series C FundingRilian Raises $17.5 Million for AI-Native Security OrchestrationLuxury Cosmetics Giant Rituals Discloses Data BreachApple Patches iOS Flaw Allowing Recovery of Deleted ChatsRecent Microsoft Defender Vulnerability Exploited as Zero-DayNew Wiper Malware Targeted Venezuelan Energy Sector Prior to US Intervention Latest News Energy and Water Management Firm Itron HackedUNC6692 Uses Email Bombing, Social Engineering to Deploy ‘Snow’ MalwareUS Launches Sweeping Crackdown on Southeast Asia Cyberscams and Sanctions Cambodian SenatorFirefox Vulnerability Allows Tor User FingerprintingChina-Linked APT GopherWhisper Abuses Legitimate Services in Government AttacksPre-Stuxnet Sabotage Malware ‘Fast16’ Linked to US-Iran Cyber TensionsIn Other News: Unauthorized Mythos Access, Plankey CISA Nomination Ends, New Display Security DeviceWhy Cybersecurity Must Rethink Defense in the Age of Autonomous Agents Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: A Step-by-Step Approach to AI Governance April 28, 2026 With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment. Register Virtual Event: Threat Detection and Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the MoveNeill Feather has been named Chief Executive Officer at Point Wild.Oasis Security has appointed Michael DeCesare as President.Sterling Wilson has joined IGEL as Global Field CTO, Business Continuity and Disaster Recovery.More People On The MoveExpert Insights Why Cybersecurity Must Rethink Defense in the Age of Autonomous Agents From autonomous code generation to decision-making systems that initiate actions without human intervention, the industry is entering a new phase. (Torsten George) Government Can’t Win the Cyber War Without the Private Sector Securing national resilience now depends on faster, deeper partnerships with the private sector. (Steve Durbin) The Hidden ROI of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• cve — CVE-2026-41651

Entities